BuddyPress.org

Hi @rossagrant, @r-a-y & @hkcharlie,
Thanks for the good question. So, there are three separate questions here that are slightly but significantly different, and often get merged into one.

First: ‘Can people upload malicious things?’
Yes. Say I have a file MyVirus.exe. I can rename it to MyVirus.exe.txt, and upload it to the site. Adding a MIME type check would help significantly, but it’s not foolproof, as the MIME type can also be spoofed. What it would do is take what I would call a “casual” malicious user out of the picture, as only more experienced and/or motivated malicious users are going to go through the trouble of spoofing MIME types. Although this sounds terrible, it’s not as bad as you might think, leading into the next question…

‘Will this cause any problems for my website/server?’
No. This is not much of an issue for several reasons. The main reason is that Apache doesn’t give uploaded files executable permission. So, even if a virus is uploaded, and a user clicks on it, the most likely scenario is that the user will see the source code (which may be a bunch of junk if it’s a binary file). Even if it was a file that the web server could process (like a PHP file or shell script), it still would just display the source.

‘Is this a hazard to my users?
Not Likely. Given the above scenario, Someone malicious would need to rename a file extension, upload it to the site, get people to download it, and get people to change the extension. So, if the user is really dumb, it’s possible. I’d like to think that someone that goes around downloading things and changing extensions from txt to exe would learn their lesson pretty quick.

I hope that helps. If someone is a security expert, I hope they might add more to the topic, but those are the risks to the best of my knowledge.