WordPress是一款免费的论坛Blog系统。
WordPress中负责上传文件的代码如下:
漏洞文件:'wp-admin/includes/file.php'
Bugtraq ID: 37005
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Nov 11 2009 12:00AM
Updated: Nov 12 2009 03:56PM
Credit: Dawid Golunski
Vulnerable: WordPress WordPress 2.8.5
WordPress WordPress 2.8.4
WordPress WordPress 2.8.3
WordPress WordPress 2.8.2
WordPress WordPress 2.8.1
WordPress WordPress 2.8
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 37005
WordPress是一款免费的论坛Blog系统。
WordPress中负责上传文件的代码如下:
wp-admin/includes/file.php:
---[cut]---
line 217:
function wp_handle_upload( &$file, $overrides = false, $time = null ) {
---[cut]---
// All tests are on by default. Most can be turned off by $override[{test_name}] = \
false; $test_form = true;
$test_size = true;
// If you override this, you must provide $ext and $type!!!!
$test_type = true;
$mimes = false;
---[cut]---
// A properly uploaded file will pass this test. There should be no reason to \
override this one. if (! @ is_uploaded_file( $file['tmp_name'] ) )
return $upload_error_handler( $file, __( 'Specified file failed upload test.' \
));
// A correct MIME type will pass this test. Override $mimes or use the upload_mimes \
filter. if ( $test_type ) {
$wp_filetype = wp_check_filetype( $file['name'], $mimes );
extract( $wp_filetype );
if ( ( !$type || !$ext ) && !current_user_can( 'unfiltered_upload' ) )
return $upload_error_handler( $file,
__( 'File type does not meet security guidelines. Try another.' ));
if ( !$ext )
$ext = ltrim(strrchr($file['name'], '.'), '.');
if ( !$type )
$type = $file['type'];
} else {
$type = '';
}
// A writable uploads dir will pass this test. Again, there's no point overriding \
this one. if ( ! ( ( $uploads = wp_upload_dir($time) ) && false === $uploads['error'] \
) ) return $upload_error_handler( $file, $uploads['error'] );
$filename = wp_unique_filename( $uploads['path'], $file['name'], \
$unique_filename_callback );
// Move the file to the uploads dir
$new_file = $uploads['path'] . "/$filename";
if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) {
return $upload_error_handler( $file,
sprintf( __('The uploaded file could not be moved to %s.' ), $uploads['path'] ) \
); }
---[cut ]---
从上面代码可见所提供的文件名由$wp_filetype = wp_check_filetype( $file['name'], $mimes );执行检查。以下是wp_check_filetype()函数:
wp-includes/functions.php:
---[cut]---
line 2228:
function wp_check_filetype( $filename, $mimes = null ) {
// Accepted MIME types are set here as PCRE unless provided.
$mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( 'upload_mimes', \
array( 'jpg|jpeg|jpe' => 'image/jpeg',
'gif' => 'image/gif',
'png' => 'image/png',
'bmp' => 'image/bmp',
'tif|tiff' => 'image/tiff',
'ico' => 'image/x-icon',
'asf|asx|wax|wmv|wmx' => 'video/asf',
'avi' => 'video/avi',
---[cut, more mime types]---
line 2279:
$type = false;
$ext = false;