[wp-docs] security issues

[Brian Shirk]

Hey guys, I have a random issue that needs some looking at; I already
tried talking to Matt, but he was a bit of a jerk to me and was talking
down to me after giving me a few non-solutions, so I'm just going to put
this out there and let you guys deal with it.  Don't involve me in it.

Last night, I was looking through the code because I was having some
problems with a site that runs wordpress (which I do not own or have
root access to).  I found that by setting the file upload directory to,
say, /tmp/, I was able to upload files to places I'm not authorized to
upload them to by the server's administrator.  Turns out that there are
no safety checks whatsoever (how is this not a security issue, matt?),
and there is no notification in the docs (especially not the
installation stuff) about this 'feature'.  Since everything that gets
uploaded is supposed to be 0766 and on the default installation there is
no separation of virtual hosts or sites, that's a pretty big deal -
defacing, setting up unauthorized porn sites, etc, would be pretty
simple.

I was told that the solution does not involve WordPress, and that I
should just set up separate virtual servers (on a server I don't own) -
which is a bad idea in the first place, given the necessary overhead,
and that there's also an extension to PHP which could help (something
that sets it so it'll only be able to write in a certain subtree, etc) -
which is great, but it's not at all documented, and so the default
installation (as detailed in the 5-minute-install) leaves gaping
security holes, especially on systems such as the one of which my family
uses which are basically boxes dedicated to thousands of wordpress
instances.  

This is a serious issue and needs to be fixed.  (Don't try to argue with
me on that - I was able to test it on a production system, and the
administrator would had no way of knowing how I did it because it is not
sufficiently documented)

Good luck
-Brian Shirk