Skip to:
Content
Pages
Categories
Search
Top
Bottom

A potential security issue with avatar uploads

  • Avatar of lagdonkey
    lagdonkey
    Participant

    @lagdonkey

    First off, I’m using BP 1.7, and wordpress 3.5.1 website is amazinglyamusing.com.

    Just installed BP, and am about to start working on templates to fit it into my theme, however 1 criteria I require, is for users to be able to upload their own avatars, which BP does.

    First off, I tested this feature on my localhost development site, and the first thing I tried was to break any security features it has. What I found was, I could easily take a standard raw PHP file, change the extension to .jpg, and it would upload. Of course it gave an error when it got to the cropping section, however the file is sitting in the folder wp-content/uploads/avatar/3. This is a MAJOR security issue, as anyone could very easily upload any malicious file and do what they want, if they can figure out where the uploaded files go(which wouldn’t be all that hard).

    I’m just wondering if there’s some setting in BP itself I’m missing, or if this is really how this plugin works. I’ll admit, I don’t know all the ins and outs of web development and security, but this seems pretty dangerous, unless I’m missing something. It was my assumption that DP should be checking MIME filetype, and using other checksums to ensure this sort of thing can’t happen.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Avatar of Henry
    Henry
    Participant

    @henrywright-1

    Once you’ve confirmed it is a bug/security issue, you can raise a ticket at BuddyPress Trac. The development team will then take a look.

    http://buddypress.trac.wordpress.org/

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    If you think you’ve found a security issue it really should be reported privately to a core dev.

    I don’t think this is an issue, looking at upload avatar functions, but perhaps could use some hardening. Open a ticket.

    Avatar of lagdonkey
    lagdonkey
    Participant

    @lagdonkey

    Okay, if a mod wants to lock/edit this to hide the information I posted, just in case it is a bug that needs to be patched.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.