Wordpress 2.7.1 multiple minor vulnerabilities
Multiple vulnerabilities exist in the Wordpress 2.7.1 blogging software however successful exploitation requires admin roles.
Wordpress Version 2.7.1
The following vulnerabilties are a result of incorrect sanitization of user supplied POST data in the browser uploader "Media" component of Wordpress (/wp-admin/media-upload.php). These vulnerabilties can be exploited from the administraion panel (/wp-admin/media-new.php?flash=0) however the risk is minimal as they are only effective on the admin account. Users with admin, editer and author roles can upload files via the Media component however only admin can upload and execute PHP files (if wp-content/uploads/ has write and execute permissions).
A simple PHP backdoor (x.php) has been used for this example however any file can be used.
Navigating to /wp-admin/media-new.php?flash=0 and uploading x.php generates the following POSTDATA:
(POST truncated - we're only interested in the "filename" paramater)
This uploads x.php to wp-content/uploads/2009/05/x.php (where 2009 and 05 are the year and month), and displays x.php in Media.
Local Path Disclosure :
The local path of the current upload directory is disclosed when the filename paramater in POST is modified as follows:
This uploads x.php to wp-content/uploads/2009/05/x.php?< and displays /VAR/WWW/BLOG/WP-CONTENT/UPLOADS/2009/05/X.PHP? in Media.
It is also possible to change the resulting filesystem filename inline, for example: