Skip to:
Content
Pages
Categories
Search
Top
Bottom

security issue

  • @omshankar

    Participant

    6 years, 11 months ago

    If I allow user to upload their profile picture then if user upload any shell/malware with the extension .jpg then? Will buddypress disallow these shell which has extension .jpg? Because lots of sites are being hacked by this method. They upload encrypted shell by changing its extension .php to .jpg and then done. SIte got hacked once shell was uploaded.

Viewing 5 replies - 1 through 5 (of 5 total)

  • @venutius

    Moderator

    6 years, 11 months ago

    I’m thinking WordPress would catch this in it’s MIME checks, have you tried it?

    @omshankar

    Participant

    6 years, 11 months ago

    MIME check is a plugin?

    @venutius

    Moderator

    6 years, 11 months ago

    Wordpress checks the file format of all uploads to make sure the file content matches the claims of the filename, and rejects files that don’t match.

    @omshankar

    Participant

    6 years, 11 months ago

    so will it reject encrypted shell with extension jpg, png, gif etc?

    @venutius

    Moderator

    6 years, 11 months ago

    I’ve just tried it and the upload failed

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.

Topic Info

Skip to toolbar