norocketsurgeon

Hi samrat,
So you’ve got a couple problems going on in this code:
1) As you mentioned you don’t check for the .php extension. You might want to also consider checking the mime type as well.

2) you create the upload directory with 777 permissions which should basically NEVER be done. Check out this article for more background: http://codex.wordpress.org/Changing_File_Permissions
ideally the folder should be something like 755 and the files should get chmoded to 644 after upload, or something similar.

3) You make no attempt to prevent directory traversal. If you’re not familiar with directory traversal you can learn more about it here:
http://en.wikipedia.org/wiki/Directory_traversal_attack
directly checking for “..” isn’t the best approach to prevent against this. Ideally you should expand the file destination directory with realpath then ensure it matches your intended destination directory for uploaded files.

These steps will get you started toward a more secure file up-loader. Personally if I’m allowing anonymous submissions in a plugin I put a “.htaccess” file in the upload directory that gives a 404 error when trying to access content within that directory. This makes it so the files are only accessible through a php script or through ftp/ssh access. It’s a pain if you want them accessible through a web interface since you have to write a script that serves up the document, but I think the security is worth it. (also with this approach you should make sure they file being uploaded isn’t named .htaccess obviously)

Cheers,
Nolan

Also, I’ve already emailed the content above to plugins [at] wordpress.com as a moderator you might want to delete the above post until this plugin gets taken down. Wouldn’t want someone seeing that and hacking any site with this plugin on it.