Skip to:

A potential security issue with avatar uploads

  • lagdonkey


    First off, I’m using BP 1.7, and wordpress 3.5.1 website is

    Just installed BP, and am about to start working on templates to fit it into my theme, however 1 criteria I require, is for users to be able to upload their own avatars, which BP does.

    First off, I tested this feature on my localhost development site, and the first thing I tried was to break any security features it has. What I found was, I could easily take a standard raw PHP file, change the extension to .jpg, and it would upload. Of course it gave an error when it got to the cropping section, however the file is sitting in the folder wp-content/uploads/avatar/3. This is a MAJOR security issue, as anyone could very easily upload any malicious file and do what they want, if they can figure out where the uploaded files go(which wouldn’t be all that hard).

    I’m just wondering if there’s some setting in BP itself I’m missing, or if this is really how this plugin works. I’ll admit, I don’t know all the ins and outs of web development and security, but this seems pretty dangerous, unless I’m missing something. It was my assumption that DP should be checking MIME filetype, and using other checksums to ensure this sort of thing can’t happen.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Henry


    Once you’ve confirmed it is a bug/security issue, you can raise a ticket at BuddyPress Trac. The development team will then take a look.

    Hugo Ashmore


    If you think you’ve found a security issue it really should be reported privately to a core dev.

    I don’t think this is an issue, looking at upload avatar functions, but perhaps could use some hardening. Open a ticket.



    Okay, if a mod wants to lock/edit this to hide the information I posted, just in case it is a bug that needs to be patched.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘A potential security issue with avatar uploads’ is closed to new replies.
Skip to toolbar