Mission attachment protection

Earlier today @Rsnake posted about a flaw in how wordpress handles the attachments

Here is my observation on the same listed below

Note : observations are based on latest 3.5.2 version of wordpress and with an image uploaded as attachment. (anyone running older than this seriously need to check)

In short Yes the vulnerability is real but with lots of warning.

if attachment not linked to post than site/?attachment_id= is 200 ok and does provide the attachment
if attachment linked to post/page available online then response is 301
if attachment not available then 404 error

also if post is in draft but attachment is added in post then 404 is received or 301 if post has canonical name

WPScan leading vulnerability scanner for wordpress has this issue opened here : https://github.com/wpscanteam/wpscan/issues/172

So what we can do about it.

Here is a quick Htaccess patch that can be applied on your wordpress instance

Apply the below code in .htaccess file in root of your wordpress installation.

Patch listed below

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} attachment_id=([0-9]*)
RewriteRule ^(.*)$ /index.php [F,L]

Note : this is only tested on my personal website and does result is getting 403 error while displaying back the home page for all url’s with attachment_id=

However one should also keep in mind if they have uploaded an attachment online there are other ways to access the attachment so if you are not ready to expose the attachment to world its better not to upload it.

Shameless Plug : Many such similar tricks are shared here https://github.com/anantshri/wp-security anyone concerned with WordPress security should definitely visit the page. Feel free to contribute too.

More information will be updated as and when spotted.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top