Red Hat Bugzilla – Bug 447888
CVE-2008-2392 wordpress: Malicious File Execution Vulnerability
Last modified: 2010-12-23 14:05:32 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2392 to the following vulnerability:
Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard.
This can only be and issue in deployments, where blog administrator does not
have a local access to web server or the access is restricted in a way that he
can not create php script in e.g. public_html directory to run arbitrary code as
web server user.
I'm tempted to call this notabug for Fedora. WordPress RPM installs wordpress
files to /usr/share/wordpress, owned by user root and not writable to web server
For uploads to work, system administrator would have to change permissions on
wp-content/uploads directory to make uploads possible. Blog admin can possibly
change upload directory, but, by default, there is no directory writable to web
server user that is also configured to be served via web server.
Second vector described in the announcement can not be exploited by default as
well, as plugin files are not writable to to web server user and can not be
modified to contain malicious php code.
I failed to find any related ticket in the upstream trac. Adrian, John, do you
know whether upstream has any statement regarding this or are planning to
implement any fixes for this issue? Do you agree with notabug assessment of
this problem or have I missed anything in my analysis? Thanks!
I do not know if upstream is planning anything. But I am not following
development close enough to really make a valid statement.
Like you described it, it does not sound like it seems to be problem for the
default Fedora installation and therefore I agree with you to close it.
If upstream would release a new version I would update to the newest version
because this seems always the best with wordpress.
This behaviour is intentional, as per http://codex.wordpress.org/CVEs#2008 :
""Admin" user has ability to edit plugins and upload files if file permissions allow- this is intentional."