WordPress.org

Ready to get started?Download WordPress

Forums

BuddyPress Activity Plus
[resolved] Please stop the plugin from renaming image files with a doulbe extension (7 posts)

  1. MickeyRoush
    Member
    Posted 7 months ago #

    When users upload a file it goes to the wp-content/uploads/bpfb directory and renames it something like:

    1_0.444455555566666677777my_image-bpfb.jpg
    and:
    1_0.444455555566666677777my_image.jpg

    For security reasons, I do not allow, nor do I recommend anyone else allow any file to be uploaded or have a file in their uploads directory that has more than one literal period. Why? There's too much of a security risk of someone uploading a file like:

    somecode.php.jpg

    With the right tools and access, if that was an actual PHP file, it's possible that someone with malicious intent go use it maliciously. There for, anything that is uploaded on any of my sites and anyone I help, that has more than one literal period cannot be accessed from HTTP.

    See these links:
    http://www.acunetix.com/websitesecurity/upload-forms-threat/
    http://blog.sucuri.net/2013/08/joomla-hacks-part-i-phishing.html
    http://www.creativebloq.com/web-design/website-security-tips-protect-your-site-7122853
    https://technonxt.wordpress.com/tag/double-extension/
    http://www.cvedetails.com/cve/CVE-2012-1125/
    http://www.cvedetails.com/cve/CVE-2012-5318/

    If there is no specific reason that you're using a literal period there, it might be a better idea to use just a hyphen or underscore instead.

    http://wordpress.org/plugins/buddypress-activity-plus/

  2. MickeyRoush
    Member
    Posted 7 months ago #

    To make it a bit easier to understand, it would be better if these:

    1_0.444455555566666677777my_image-bpfb.jpg
    and:
    1_0.444455555566666677777my_image.jpg

    were these:

    1_0_444455555566666677777my_image-bpfb.jpg
    and:
    1_0_444455555566666677777my_image.jpg
  3. WPMU DEV
    Member
    Posted 7 months ago #

    Hi @MickeyRoush,

    Thanks for notifying.

    I have notified this to the developer and it may be fixed in the future version of plugin if found valid.

    Cheers,

  4. MickeyRoush
    Member
    Posted 7 months ago #

    Sorry, not sure what you mean about it being valid. Validation was already given. This is NOT a vulnerability with your plugin, it just means that since you're including a literal period when renaming files, that users who are trying to secure their uploads directory will not be able to use the upload feature, because anything that is deemed a double extension will throw a 403 Forbidden or whatever they have set to protect their uploads directory.

    In other words, the images will never been seen. I imagine if they're using something like mod_security that could prevent the images from showing as well.

    All you need do is make sure that literal period, as I mentioned above is a different character, like an underscore. I looked at the file (images_tag_template.php) but I'm not sure exactly where this is being done. If you can point me to the correct location, I would be happy to test it for you.

  5. David
    WPMU DEV Support Staff
    Posted 7 months ago #

    Hi @MickeyRoush,

    Interesting point, thanks for bringing it up. While the developer looks into the matter, you could make the following quick edit the plugin to do as you've requested.

    In the following file:
    /wp-content/plugins/buddypress-activity-plus/lib/class_bpfb_binder.php

    You'll see this on line 56:
    $pfx = $bp->loggedin_user->id . '_' . preg_replace('/ /', '', microtime());

    You can change that to the following:
    $pfx = $bp->loggedin_user->id . '_' . preg_replace('/ /', '', str_replace(".","_",microtime()));

    Basically, it's just replacing the . in the microtime() function output to an underscore.

    Hope that helps!

    -David

  6. MickeyRoush
    Member
    Posted 7 months ago #

    Yes, I believe that's what I was looking for. I'll try to test it here soon. Thanks again.

  7. David
    WPMU DEV Support Staff
    Posted 7 months ago #

    Sounds great! I tested it myself before posting, worked a charm over here. Just let us know how that goes for ya though! :)

Reply

You must log in to post.

About this Plugin

About this Topic