Wordpress 2.7.1 multiple minor vulnerabilities

Multiple vulnerabilities exist in the Wordpress 2.7.1 blogging software however successful exploitation requires admin roles.

Software

Wordpress Version 2.7.1

URL: http://wordpress.org/

Source: http://wordpress.org/latest.zip

Vulnerabilities

The following vulnerabilties are a result of incorrect sanitization of user supplied POST data in the browser uploader "Media" component of Wordpress (/wp-admin/media-upload.php). These vulnerabilties can be exploited from the administraion panel (/wp-admin/media-new.php?flash=0) however the risk is minimal as they are only effective on the admin account. Users with admin, editer and author roles can upload files via the Media component however only admin can upload and execute PHP files (if wp-content/uploads/ has write and execute permissions).

A simple PHP backdoor (x.php) has been used for this example however any file can be used.

Navigating to /wp-admin/media-new.php?flash=0 and uploading x.php generates the following POSTDATA:

(POST truncated - we're only interested in the "filename" paramater)

This uploads x.php to wp-content/uploads/2009/05/x.php (where 2009 and 05 are the year and month), and displays x.php in Media.

Local Path Disclosure :

The local path of the current upload directory is disclosed when the filename paramater in POST is modified as follows:

This uploads x.php to wp-content/uploads/2009/05/x.php?< and displays /VAR/WWW/BLOG/WP-CONTENT/UPLOADS/2009/05/X.PHP? in Media.

It is also possible to change the resulting filesystem filename inline, for example:

This uploads x.php to wp-content/uploads/2009/05/.php and displays (no title).php in Media.

Denial of Service :

Illegal characters such as <> and " can be used in filenames. For example, if filename="x.php?<" is used Wordpress will allow users to delete the "x.php?<" file from Media, however it is not removed from the filesystem. This may result in denial of service by using up free disk space without the admin's knowledge.

Vendor Notification

Appendix : POSTDATA :

Upload x.php

Upload x.php as .php (Hidden)

Upload x.php as x.php?< (Local path disclosure. Creates undeleteable file. Cannot execute as PHP)

Reference

OWASP: Denial of Service

OWASP: Information Disclosure

OWASP: Unrestricted File Upload