iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > News > Security News > WordPress Vulnerable To Custom Field Uploads
Search:
[ news_security_news ]

WordPress Vulnerable To Custom Field Uploads



David Utter
Staff Writer
2007-06-26

SecurityProNews: Insider Reports Insider Reports RSS Feed


Those who have not upgraded WordPress to 2.2.1, or WordPress MU to 1.2.3, should do so to help mitigate a newly disclosed vulnerability.

The possibility of being exploited still exists after upgrading. Alexander Concha wrote of the arbitrary file upload vulnerability and said updating WordPress or WordPress MU only provides a partial fix.

"The best way to avoid attacks is to disable the access to wp-app.php or app.php," he said.

A function in wp-app.php allows for file uploads. "WordPress also gives the ability to add custom fields in normal posts or pages (this fields are stored in wp_postmeta table too), but it does not check whether this special meta-data fields of attachments are added in normal posts," said Concha.

Secunia summarized the potential threat from this issue:

The vulnerability is caused due to improper authentication verification. This can be exploited to add the custom field "_wp_attached_file" to a post, upload a PHP script to an arbitrary path with wp-app.php or app.php, and execute arbitrary PHP code.

Successful exploitation requires valid Editor credentials and that the system is configured to allow uploads.

---

AddThis Social Bookmark Button


Tags: ,


About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More news_security_news Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - 1998-2009 All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds