Please stop the plugin from renaming image files with a doulbe extension

Resolved MickeyRoush
(@mickeyroush)

10 years, 3 months ago

When users upload a file it goes to the wp-content/uploads/bpfb directory and renames it something like:

1_0.444455555566666677777my_image-bpfb.jpg
and:
1_0.444455555566666677777my_image.jpg

For security reasons, I do not allow, nor do I recommend anyone else allow any file to be uploaded or have a file in their uploads directory that has more than one literal period. Why? There’s too much of a security risk of someone uploading a file like:

somecode.php.jpg

With the right tools and access, if that was an actual PHP file, it’s possible that someone with malicious intent go use it maliciously. There for, anything that is uploaded on any of my sites and anyone I help, that has more than one literal period cannot be accessed from HTTP.

See these links:
http://www.acunetix.com/websitesecurity/upload-forms-threat/
http://blog.sucuri.net/2013/08/joomla-hacks-part-i-phishing.html
http://www.creativebloq.com/web-design/website-security-tips-protect-your-site-7122853
https://technonxt.wordpress.com/tag/double-extension/
http://www.cvedetails.com/cve/CVE-2012-1125/
http://www.cvedetails.com/cve/CVE-2012-5318/

If there is no specific reason that you’re using a literal period there, it might be a better idea to use just a hyphen or underscore instead.

http://wordpress.org/plugins/buddypress-activity-plus/

Viewing 6 replies - 1 through 6 (of 6 total)

Thread Starter MickeyRoush
(@mickeyroush)

10 years, 3 months ago
To make it a bit easier to understand, it would be better if these:
```
1_0.444455555566666677777my_image-bpfb.jpg
and:
1_0.444455555566666677777my_image.jpg
```
were these:
```
1_0_444455555566666677777my_image-bpfb.jpg
and:
1_0_444455555566666677777my_image.jpg
```
Plugin Support Predrag – WPMU DEV Support
(@wpmudev-support1)

10 years, 2 months ago

Hi @mickeyroush,

Thanks for notifying.

I have notified this to the developer and it may be fixed in the future version of plugin if found valid.

Cheers,

Thread Starter MickeyRoush
(@mickeyroush)

10 years, 2 months ago

Sorry, not sure what you mean about it being valid. Validation was already given. This is NOT a vulnerability with your plugin, it just means that since you’re including a literal period when renaming files, that users who are trying to secure their uploads directory will not be able to use the upload feature, because anything that is deemed a double extension will throw a 403 Forbidden or whatever they have set to protect their uploads directory.

In other words, the images will never been seen. I imagine if they’re using something like mod_security that could prevent the images from showing as well.

All you need do is make sure that literal period, as I mentioned above is a different character, like an underscore. I looked at the file (images_tag_template.php) but I’m not sure exactly where this is being done. If you can point me to the correct location, I would be happy to test it for you.

David
(@ugotsta)

10 years, 2 months ago

Hi @mickeyroush,

Interesting point, thanks for bringing it up. While the developer looks into the matter, you could make the following quick edit the plugin to do as you’ve requested.

In the following file:
/wp-content/plugins/buddypress-activity-plus/lib/class_bpfb_binder.php

You’ll see this on line 56:
$pfx = $bp->loggedin_user->id . '_' . preg_replace('/ /', '', microtime());

You can change that to the following:
$pfx = $bp->loggedin_user->id . '_' . preg_replace('/ /', '', str_replace(".","_",microtime()));

Basically, it’s just replacing the . in the microtime() function output to an underscore.

Hope that helps!

-David

Thread Starter MickeyRoush
(@mickeyroush)

10 years, 2 months ago

Yes, I believe that’s what I was looking for. I’ll try to test it here soon. Thanks again.

David
(@ugotsta)

10 years, 2 months ago

Sounds great! I tested it myself before posting, worked a charm over here. Just let us know how that goes for ya though! 🙂

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Please stop the plugin from renaming image files with a doulbe extension’ is closed to new replies.

Tags