User Name
Password
AppleNova Forums » Feedback »

Upload service is no more, sorry guys


Register Members List Calendar Search FAQ Posting Guidelines
Upload service is no more, sorry guys
Thread Tools
ThunderPoit
Making sawdust
 
Join Date: May 2004
Location: Minnesota
 
2004-11-09, 04:08

Somone went and uploaded a rather malicious looking php script that gave alot of features that no one should have to my directory. im doubting that anyone here did it, im gonna go back and look at my uploader script to find a way to make sure that only gifs and jpegs can be uploaded. anything you guys need hosted, just drop me a line and ill gladly upload it for you.
  quote
ThunderPoit
Making sawdust
 
Join Date: May 2004
Location: Minnesota
 
2004-11-09, 04:08

fekkin-A. can somone w/ the privs move this to suggestions for me? too long of a day for me, not thinkin straight
  quote
ThunderPoit
Making sawdust
 
Join Date: May 2004
Location: Minnesota
 
2004-11-09, 04:22

Code:
<?php $site_name = $_SERVER['HTTP_HOST']; $url_dir = "http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']); $url_this = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']; $upload_dir = "pix/"; $upload_url = $url_dir."pix/"; $message =""; //create upload_files directory if not exist //If it does not work, create on your own and change permission. if (!is_dir("pix")) { die ("pix directory doesn't exist"); } if ($_FILES['userfile']) { $message = do_upload($upload_dir, $upload_url); } else { $message = "Invalid File Specified."; } print $message; function do_upload($upload_dir, $upload_url) { $temp_name = $_FILES['userfile']['tmp_name']; $file_name = $_FILES['userfile']['name']; $file_type = $_FILES['userfile']['type']; $file_size = $_FILES['userfile']['size']; $result = $_FILES['userfile']['error']; $file_url = $upload_url.$file_name; $file_path = $upload_dir.$file_name; //File Name Check if ( $file_name =="") { $message = "Invalid File Name Specified"; return $message; } //File Size Check else if ( $file_size > 500000) { $message = "The file size is over 500K."; return $message; } //File Type Check else if ( $file_type == "text/plain" ) { $message = "Sorry, You cannot upload any script file" ; return $message; } $result = move_uploaded_file($temp_name, $file_path); $message = ($result)?"File url <a href=$file_url>$file_url</a>" : "Somthing is wrong with uploading a file."; return $message; } ?> <form name="upload" id="upload" ENCTYPE="multipart/form-data" method="post"> Upload Image<input type="file" id="userfile" name="userfile"> <input type="submit" name="upload" value="Upload"> </form> <p> This is a free service provided by me, I won't be here to moderate it every five seconds, so i urge you to not abuse thi\ s as i can take it away at any time. Below is a list of currently uploaded files, please choose a unique name for yours\ so you do not overwrite somone else's image. <br> <br> ps, just so you know, a lot of the files listed below are NOT safe for work. <br> <iframe src="/pix/" height="80%"> </iframe>
ok, so heres my upload script. the part in red is supposed to check if the file is text and then stop the user from uploading said text, but i just tested it and it will upload anything under 500k, what gives?


ps, the file that was uploaded can be found here. i changed it to a text file, so it cant be executed. feel free to smack me upside the head if im stupid for thinking that makes it safe :P

http://www.davidlegatt.com/pix/a.txt
  quote
thuh Freak
Finally broke the seal
 
Join Date: May 2004
 
2004-11-09, 17:45

sux to hear that. you might consider uploading files to a 'upload' directory (as you seem to be doing), but limit that directory's php/scripting access. i'm pretty sure you can (via apache.conf editing) limit any given directories' php/cgi/other abilities. any directory should have EITHER execute script OR write abilities, from the webserver's perspective. you should make sure that no directory has both.

the 500k limit won't help too much though. 1) images can often go over that. 2) scripts can be tremendously smaller than that.

i think (and i may be wrong about this) that apache will only attempt to execute a script if the file has execute permissions ((0111 & <perm>) > 0). so after the upload, or after mv'ing the file, you could chmod it (chmod a-x [filename]). you'd have to grant php shell access to do that (which could make a potentially larger security hole).
  quote
Akumulator
Senior Member
 
Join Date: May 2004
Location: Atlanta
 
2004-11-09, 18:07

Or you could install an image gallery like Coppermine or Gallery and only allow specific file uploads in the config.

edit....You also may find some of use here: http://hotscripts.com/

Last edited by Akumulator : 2004-11-09 at 18:24.
  quote
curiousuburb
Antimatter Man
 
Join Date: May 2004
Location: that interweb thing
 
2004-11-09, 19:16

And as far as tracking down the 'someone' who uploaded a nasty php...
don't you get a detailed log of all IP activity from uploads?
  quote
ThunderPoit
Making sawdust
 
Join Date: May 2004
Location: Minnesota
 
2004-11-09, 22:59

i dont think i have access to the httpd.conf file cuz the server isnt mine, i have it thru a hosting company. 'burb, where would i find that log?

also, does anyone know why that bit of code dosent work?
  quote
SilentEchoes
Unique Like Everyone Else
 
Join Date: May 2004
Location: Rochester, NY
Send a message via AIM to SilentEchoes  
2004-11-10, 02:01

You know if you don't feel like getting into MIME types and things of that nature, Why don't you just allow things with certain extensions to be updated. Then it wont really matter if someone uploads a PHP script as it wont run with a .jpg extension.

You could do this by exploding the . and then makign sure that array has one of a set number of extensions in it.

WARNING: Do not let Dr. Mario touch your genitals. He is not a real doctor.
  quote
SilentEchoes
Unique Like Everyone Else
 
Join Date: May 2004
Location: Rochester, NY
Send a message via AIM to SilentEchoes  
2004-11-10, 02:03

Quote:
Originally Posted by ThunderPoit
also, does anyone know why that bit of code dosent work?
Its not working because your hosting it on a box that has MIME TYPE info off, or not installed or both. Its pretty standard for a server to have this info off.

WARNING: Do not let Dr. Mario touch your genitals. He is not a real doctor.
  quote
ThunderPoit
Making sawdust
 
Join Date: May 2004
Location: Minnesota
 
2004-11-10, 22:14

how would i find this out and how could i turn it on? im hosting it thru a company called networkeleven. i have all the info about the php install here:
http://www.davidlegatt.com/phptest.php
  quote
SilentEchoes
Unique Like Everyone Else
 
Join Date: May 2004
Location: Rochester, NY
Send a message via AIM to SilentEchoes  
2004-11-11, 21:43

PHP.ini needs access to MagicMIME. You would need to edit the PHP ini file in order to get access to mime types.

MIME will only return things like text/plain or image/gif or image/png things of that nature.

I would still say just explode the . and make sure the extension is something like jpg, png, gif, pdf or txt and don't allow anything other than that. That will stop people from executing PHP scripts they upload and that is the goal right?

WARNING: Do not let Dr. Mario touch your genitals. He is not a real doctor.
  quote
ThunderPoit
Making sawdust
 
Join Date: May 2004
Location: Minnesota
 
2004-11-12, 00:09

yes, that is the goal, thank you very much for your help. unfortunatley for me, its been so long since ive done any real coding (and even that was the basic simple stuff) that it'll probably take me till next week to figure out how to do it. oh well :P
  quote
SilentEchoes
Unique Like Everyone Else
 
Join Date: May 2004
Location: Rochester, NY
Send a message via AIM to SilentEchoes  
2004-11-14, 16:52

$evaluationString = explode(".", $_FILE['name']);
if(!eregi(".jpg", $evaluationString[2]){
die "The File Must Be In Jpeg Format.";
}

Something along those lines should work. Check out php.net/eregi and php.net/explode for more information on the above functions. If you have any other questions after trying to figure this bad boy out just post them here. I'll try not to take a week to respond this time

WARNING: Do not let Dr. Mario touch your genitals. He is not a real doctor.
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Post Reply

Forum Jump
Thread Tools
Similar Threads
Thread Thread Starter Forum Replies Last Post
Philadelphia mullls wireless society Messiahtosh General Discussion 6 2004-09-03 13:02
"True" Dating Service hmurchison AppleOutsider 11 2004-07-21 17:42
Advice on e-mail service? netromac General Discussion 28 2004-06-19 20:35


« Previous Thread | Next Thread »

All times are GMT -5. The time now is 19:03.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2024, AppleNova