[buddypress-trac] [BuddyPress] #5041: Avatar uploads should have their MIME types checked more aggressively (was: Possible security issue with avatar uploads.)

buddypress-trac noreply at wordpress.org
Mon Jun 10 01:05:45 UTC 2013

#5041: Avatar uploads should have their MIME types checked more aggressively
 Reporter:  lagdonkey    |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Future Release
Component:  Core         |     Version:  1.7
 Severity:  normal       |  Resolution:
 Keywords:  needs-patch  |
Changes (by boonebgorges):

 * type:  defect (bug) => enhancement
 * milestone:  Awaiting Review => Future Release


 Thanks for the report, lagdonkey.

 You are correct that BP only checks uploads based on filenames, which can
 be spoofed. This is not ideal. However, a few points:

 - The same is true of WordPress. Their core function for validating file
 types is `wp_check_filetype_and_ext()`. It determines mime type from
 filename, and only in the case of an image with an incorrect extension
 (like, you rename foo.jpg as foo.gif) does it actually do anything more
 sophisticated. See http://core.trac.wordpress.org/browser/tags/3.5.1/wp-
 - `wp_handle_upload()`, which BP uses to place the file in its permanent
 location, sets the file permissions of the uploaded file to 666.
 includes/functions.php#L1737) Thus, even if someone were to upload a
 malicious executable file, it should not in fact be executable.
 - Your server should be set up in such a way that files with the extension
 `.jpg` etc cannot be parsed by PHP.

 Real MIME checks in PHP are generally done using `finfo`, but this
 extension is only available in PHP > 5.3, which is above BP/WP's current
 minimum requirements.

 So, for the moment, I'm going to put this in Future Release, with the
 expectation that we (or, more likely, WordPress) will harden it when the
 PHP 5.2.x series is dropped. In the meantime, if you are able to identify
 steps to a specific exploit - that is, not only can you upload such a
 file, but you can then execute arbitrary code through the browser - please
 send details to security at wordpress.org

 Thanks again for your report.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5041#comment:1>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list