Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2392 to the following vulnerability: Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard. Refences: http://www.securityfocus.com/archive/1/archive/1/492230/100/0/threaded http://www.securityfocus.com/bid/29276
This can only be and issue in deployments, where blog administrator does not have a local access to web server or the access is restricted in a way that he can not create php script in e.g. public_html directory to run arbitrary code as web server user. I'm tempted to call this notabug for Fedora. WordPress RPM installs wordpress files to /usr/share/wordpress, owned by user root and not writable to web server user. For uploads to work, system administrator would have to change permissions on wp-content/uploads directory to make uploads possible. Blog admin can possibly change upload directory, but, by default, there is no directory writable to web server user that is also configured to be served via web server. Second vector described in the announcement can not be exploited by default as well, as plugin files are not writable to to web server user and can not be modified to contain malicious php code. I failed to find any related ticket in the upstream trac. Adrian, John, do you know whether upstream has any statement regarding this or are planning to implement any fixes for this issue? Do you agree with notabug assessment of this problem or have I missed anything in my analysis? Thanks!
I do not know if upstream is planning anything. But I am not following development close enough to really make a valid statement. Like you described it, it does not sound like it seems to be problem for the default Fedora installation and therefore I agree with you to close it. If upstream would release a new version I would update to the newest version because this seems always the best with wordpress.
This behaviour is intentional, as per http://codex.wordpress.org/CVEs#2008 : ""Admin" user has ability to edit plugins and upload files if file permissions allow- this is intentional."