Please stop the plugin from renaming image files with a doulbe extension
-
When users upload a file it goes to the wp-content/uploads/bpfb directory and renames it something like:
1_0.444455555566666677777my_image-bpfb.jpg
and:
1_0.444455555566666677777my_image.jpgFor security reasons, I do not allow, nor do I recommend anyone else allow any file to be uploaded or have a file in their uploads directory that has more than one literal period. Why? There’s too much of a security risk of someone uploading a file like:
somecode.php.jpg
With the right tools and access, if that was an actual PHP file, it’s possible that someone with malicious intent go use it maliciously. There for, anything that is uploaded on any of my sites and anyone I help, that has more than one literal period cannot be accessed from HTTP.
See these links:
http://www.acunetix.com/websitesecurity/upload-forms-threat/
http://blog.sucuri.net/2013/08/joomla-hacks-part-i-phishing.html
http://www.creativebloq.com/web-design/website-security-tips-protect-your-site-7122853
https://technonxt.wordpress.com/tag/double-extension/
http://www.cvedetails.com/cve/CVE-2012-1125/
http://www.cvedetails.com/cve/CVE-2012-5318/If there is no specific reason that you’re using a literal period there, it might be a better idea to use just a hyphen or underscore instead.
- The topic ‘Please stop the plugin from renaming image files with a doulbe extension’ is closed to new replies.