Earlier today @Rsnake posted about a flaw in how wordpress handles the attachments
I just tested this on a big celeb gossip site and it worked, the horror: http://t.co/Chbl6RQlWi
— Robert Hansen (@RSnake) July 18, 2013
Here is my observation on the same listed below
Note : observations are based on latest 3.5.2 version of wordpress and with an image uploaded as attachment. (anyone running older than this seriously need to check)
In short Yes the vulnerability is real but with lots of warning.
if attachment not linked to post than site/?attachment_id= is 200 ok and does provide the attachment
if attachment linked to post/page available online then response is 301
if attachment not available then 404 error
also if post is in draft but attachment is added in post then 404 is received or 301 if post has canonical name
WPScan leading vulnerability scanner for wordpress has this issue opened here : https://github.com/wpscanteam/wpscan/issues/172
So what we can do about it.
Here is a quick Htaccess patch that can be applied on your wordpress instance
Apply the below code in .htaccess file in root of your wordpress installation.
Patch listed below
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} attachment_id=([0-9]*)
RewriteRule ^(.*)$ /index.php [F,L]
Note : this is only tested on my personal website and does result is getting 403 error while displaying back the home page for all url’s with attachment_id=
However one should also keep in mind if they have uploaded an attachment online there are other ways to access the attachment so if you are not ready to expose the attachment to world its better not to upload it.
Shameless Plug : Many such similar tricks are shared here https://github.com/anantshri/wp-security anyone concerned with WordPress security should definitely visit the page. Feel free to contribute too.
More information will be updated as and when spotted.