[buddypress-trac] [BuddyPress] #5041: Possible security issue with avatar uploads.

buddypress-trac noreply at wordpress.org
Thu Jun 6 05:04:07 UTC 2013

#5041: Possible security issue with avatar uploads.
 Reporter:  lagdonkey     |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Core          |    Version:  1.7
 Severity:  normal        |   Keywords:  needs-patch
 As per my thread at: http://buddypress.org/support/topic/a-potential-

 First off, I’m using BP 1.7.2, and wordpress 3.5.1 website is

 Just installed BP, and am about to start working on templates to fit it
 into my theme, however 1 criteria I require, is for users to be able to
 upload their own avatars, which BP does.

 First off, I tested this feature on my localhost development site, and the
 first thing I tried was to break any security features it has. What I
 found was, I could easily take a standard raw PHP file, change the
 extension to .jpg, and it would upload. Of course it gave an error when it
 got to the cropping section, however the file is sitting in the folder wp-
 content/uploads/avatar/3. This is a MAJOR security issue, as anyone could
 very easily upload any malicious file and do what they want, if they can
 figure out where the uploaded files go(which wouldn’t be all that hard).

 I’m just wondering if there’s some setting in BP itself I’m missing, or if
 this is really how this plugin works. I’ll admit, I don’t know all the ins
 and outs of web development and security, but this seems pretty dangerous,
 unless I’m missing something. It was my assumption that DP should be
 checking MIME filetype, and using other checksums to ensure this sort of
 thing can’t happen.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5041>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list