BuddyPress.org

First off, I’m using BP 1.7, and wordpress 3.5.1 website is amazinglyamusing.com.

Just installed BP, and am about to start working on templates to fit it into my theme, however 1 criteria I require, is for users to be able to upload their own avatars, which BP does.

First off, I tested this feature on my localhost development site, and the first thing I tried was to break any security features it has. What I found was, I could easily take a standard raw PHP file, change the extension to .jpg, and it would upload. Of course it gave an error when it got to the cropping section, however the file is sitting in the folder wp-content/uploads/avatar/3. This is a MAJOR security issue, as anyone could very easily upload any malicious file and do what they want, if they can figure out where the uploaded files go(which wouldn’t be all that hard).

I’m just wondering if there’s some setting in BP itself I’m missing, or if this is really how this plugin works. I’ll admit, I don’t know all the ins and outs of web development and security, but this seems pretty dangerous, unless I’m missing something. It was my assumption that DP should be checking MIME filetype, and using other checksums to ensure this sort of thing can’t happen.