[buddypress-trac] [BuddyPress] #5041: Avatar uploads should have their MIME types checked more aggressively (was: Possible security issue with avatar uploads.)
buddypress-trac
noreply at wordpress.org
Mon Jun 10 01:05:45 UTC 2013
#5041: Avatar uploads should have their MIME types checked more aggressively
-------------------------+-----------------------------
Reporter: lagdonkey | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Core | Version: 1.7
Severity: normal | Resolution:
Keywords: needs-patch |
-------------------------+-----------------------------
Changes (by boonebgorges):
* type: defect (bug) => enhancement
* milestone: Awaiting Review => Future Release
Comment:
Thanks for the report, lagdonkey.
You are correct that BP only checks uploads based on filenames, which can
be spoofed. This is not ideal. However, a few points:
- The same is true of WordPress. Their core function for validating file
types is `wp_check_filetype_and_ext()`. It determines mime type from
filename, and only in the case of an image with an incorrect extension
(like, you rename foo.jpg as foo.gif) does it actually do anything more
sophisticated. See http://core.trac.wordpress.org/browser/tags/3.5.1/wp-
includes/functions.php#L1805
- `wp_handle_upload()`, which BP uses to place the file in its permanent
location, sets the file permissions of the uploaded file to 666.
(http://core.trac.wordpress.org/browser/tags/3.5.1/wp-
includes/functions.php#L1737) Thus, even if someone were to upload a
malicious executable file, it should not in fact be executable.
- Your server should be set up in such a way that files with the extension
`.jpg` etc cannot be parsed by PHP.
Real MIME checks in PHP are generally done using `finfo`, but this
extension is only available in PHP > 5.3, which is above BP/WP's current
minimum requirements.
So, for the moment, I'm going to put this in Future Release, with the
expectation that we (or, more likely, WordPress) will harden it when the
PHP 5.2.x series is dropped. In the meantime, if you are able to identify
steps to a specific exploit - that is, not only can you upload such a
file, but you can then execute arbitrary code through the browser - please
send details to security at wordpress.org
Thanks again for your report.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5041#comment:1>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list