Doing some tinkering with wordpress for a job I'm doing.
I found a vulnerability'ish/feature in wordpress.
Apparently, zip files support directory transversals in the directory names.http://en.wikipedia.org/wiki/Directory_traversal_attack
Wordpress(and probably php all together) honors these transversals with the wordpress plugin upload tool.
So.. you could include a file called ../../../../../etc/passwd, and completely lock the person out of the server, as well as reset the password hash to your own password.
So... Be careful the next time you're trying out random themes or plugins on your wordpress install..
Proper permissions setup, and you'll have avoided most of the risk. This only works if the user you're uploading with has permissions to overwrite the file in question. Your home directory is probably a big threat, because it could install some bash script stuff in your .bashrc.
This is probably a non-issue as well, because if you're running a theme, or a plugin from a malicious user, you're already fucked. This may help people not get caught for longer though. Most of the time, you download a theme, and then look at the source code to see if it's malicious, but if the .zip file itself is malicious, you may miss it.
Most default linux setups have proper permissions from the get go. Windows users should probably be worried about this. I haven't tested it in windows, but I imagine you could do some damage. #hack #wordpress #wordpressplugins