Upload script question? uploaded PHP script with png ext.
Moderator: General Moderators
Upload script question? uploaded PHP script with png ext.
OK here is a strange one !
Someone uploaded a PHP script with a png ext.. "Written and saved as a png file".
Here is a link to png file. I left it on server for now till I figure out if it is a functional script or someone trying to tell me something . "I have a PHP script that allows members to upload pics" Can someone tell me if this script will actually work or what it suppose to do?
http://www.statenislandsoccer.com/uploa ... ck.php.png
Any thoughts?
Author of upload script GONE "I guess there site is down"
Someone uploaded a PHP script with a png ext.. "Written and saved as a png file".
Here is a link to png file. I left it on server for now till I figure out if it is a functional script or someone trying to tell me something . "I have a PHP script that allows members to upload pics" Can someone tell me if this script will actually work or what it suppose to do?
http://www.statenislandsoccer.com/uploa ... ck.php.png
Any thoughts?
Author of upload script GONE "I guess there site is down"
agtlewis wrote: You might want to add some checks in there to ensure the uploads are really images.
Please explain or give example? "You mean add to script to double check if it is a image that is being uploaded. Obviously script is allowing anything as long as the ext. is png"
Should I just delete from server and forget it?
thanks
Here is a class I found on php.net. Perhaps someone can help you integrate it with your current code.
Code: Select all
<?php
class picture
{
var $save_dir; //where file will be saved
var $filename="spacer.gif"; //default file name initially
var $error_message=""; //string to be output if neccesary
var $width; //height of final image
var $height; //width of final image
function picture($save_directory, $file_array, $max_width, $max_height)
{
$this->save_dir = $save_directory;
$this->width = $max_width;
$this->height = $max_height;
//--change filename to time - make it unique
$temp_filename = $file_array['name'];
$ext = explode('.',$temp_filename);
$ext = $ext[count($ext)-1];
$temp_filename = time().".".$ext;
//--check that it's a jpeg or gif
if (preg_match('/^(gif|jpe?g)$/',$ext)) {
// resize in proportion
list($width_orig, $height_orig) = getimagesize($file_array['tmp_name']);
if ($this->width && ($width_orig < $height_orig)) {
$this->width = ($this->height / $height_orig) * $width_orig;
} else {
$this->height = ($this->width / $width_orig) * $height_orig;
}
$image_p = imagecreatetruecolor($this->width, $this->height);
//handle gifs and jpegs separately
if($ext=='gif'){
$image = imagecreatefromgif($file_array['tmp_name']);
imagecopyresampled($image_p, $image, 0, 0, 0, 0, $this->width, $this->height, $width_orig, $height_orig);
imagegif($image_p, $this->save_dir.$temp_filename, 80);
}
else
{
$image = imagecreatefromjpeg($file_array['tmp_name']);
imagecopyresampled($image_p, $image, 0, 0, 0, 0, $this->width, $this->height, $width_orig, $height_orig);
imagejpeg($image_p, $this->save_dir.$temp_filename, 80);
}
imagedestroy($image_p);
imagedestroy($image);
$this->filename=$temp_filename;
}else{
$this->error_message.="<br> file is not a jpeg or gif picture <br>";
}
}
}
?>Thanks for your time.
Would that be possible to add to current code or should I just post code I am using so all can see.
Maybe there is something missing from my code that was over looked by the original writer.
If yes did you post PHP using quote function on boards?
Sorry new here
edited; I just looked at code in my script it is pretty BIG and all wrapped in a index.php
Is it OK to post script here?
Thanks again
Would that be possible to add to current code or should I just post code I am using so all can see.
Maybe there is something missing from my code that was over looked by the original writer.
If yes did you post PHP using quote function on boards?
Sorry new here
edited; I just looked at code in my script it is pretty BIG and all wrapped in a index.php
Is it OK to post script here?
Thanks again
Last edited by volito on Mon Mar 06, 2006 10:12 am, edited 1 time in total.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
getimagesize() would determine if it's really an image.volito wrote:agtlewis wrote: You might want to add some checks in there to ensure the uploads are really images.
Please explain or give example? "You mean add to script to double check if it is a image that is being uploaded. Obviously script is allowing anything as long as the ext. is png"
Should I just delete from server and forget it?
thanks
I personally wouldn't delete it... I like to keep things like this for reference. Are you sure it was uploaded via the website? It wouldn't be much use by itself over HTTP unless your web server is really insecure. It could however be executed on a shared host via the shell (or another script). Do you have any areas on your website that execute shell commands... if so, I'd have a look at your securiy measures taken there too
PHP
Code: Select all
?>
<?
if (@phpversion() < '4.1.0') {
$_FILE = $HTTP_POST_FILES;
$_GET = $HTTP_GET_VARS;
$_POST = $HTTP_POST_VARS;
}
clearstatcache();
error_reporting(E_ALL & ~E_NOTICE);
$fum_vers = "1.3"; # do not edit this line, the script will not work!!!
$fum_info_full = "File Upload Manager v$fum_vers";
function authDo($auth_userToCheck, $auth_passToCheck)
{
global $auth_usern, $auth_passw;
$auth_encodedPass = md5($auth_passw);
if ($auth_userToCheck == $auth_usern && $auth_passToCheck == $auth_encodedPass) {
$auth_check = TRUE;
} else {
$auth_check = FALSE;
}
return $auth_check;
}
if (isset($logout)) {
setcookie ('fum_user', "",time()-3600);
setcookie ('fum_pass', "",time()-3600);
}
if (isset($login)) {
$auth_password_en = md5($auth_formPass);
$auth_username_en = $auth_formUser;
if (authDo($auth_username_en, $auth_password_en)) {
setcookie ('fum_user', $auth_username_en,time()+3600);
setcookie ('fum_pass', $auth_password_en,time()+3600);
$auth_msg = "<b>Authentication successful!</b> The cookies have been set.<br><br>".
$auth_msg . "Your password (MD5 encrypted) is: $auth_password_en";
} else {
$auth_msg = "<b>Authentication error!</b>";
}
}
if (($_GET[act]=="dl")&&$_GET[file])
{
if ($auth_ReqPass != 1 || ($auth_ReqPass == 1 && isset($fum_user) && !isset($logout))) {
if ($auth_ReqPass != 1 || ($auth_ReqPass == 1 && authDo($fum_user, $fum_pass))) {
$value_de=base64_decode($_GET[file]);
$dl_full=$dir_store."/".$value_de;
$dl_name=$value_de;
if (!file_exists($dl_full))
{
echo"ERROR: Cannot download file, it does not exist.<br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
exit();
}
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=$dl_name");
header("Content-Length: ".filesize($dl_full));
header("Accept-Ranges: bytes");
header("Pragma: no-cache");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-transfer-encoding: binary");
@readfile($dl_full);
exit();
}
}
}
function getlast($toget)
{
$pos=strrpos($toget,".");
$lastext=substr($toget,$pos+1);
return $lastext;
}
function replace($o)
{
$o=str_replace("/","",$o);
$o=str_replace("\\","",$o);
$o=str_replace(":","",$o);
$o=str_replace("*","",$o);
$o=str_replace("?","",$o);
$o=str_replace("<","",$o);
$o=str_replace(">","",$o);
$o=str_replace("\"","",$o);
$o=str_replace("|","",$o);
return $o;
}
?>
<!-- <?=$fum_info_full?> -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title><? echo ($title) ? ($title) : ("File Upload Manager"); ?></title>
<link rel="stylesheet" href="<?=$dir_img?>/<?=$style?>.css" type="text/css">
<?
if ($auth_ReqPass == 1)
{
if (isset($login) || isset($logout)) {
echo("<meta http-equiv='refresh' content='2;url=$_SERVER[PHP_SELF]'>");
}
}
?>
</head>
<body bgcolor="#F7F7F7"><br><br>
<center>
<?
if ($auth_ReqPass != 1 || ($auth_ReqPass == 1 && isset($fum_user) && !isset($logout))) {
if ($auth_ReqPass != 1 || ($auth_ReqPass == 1 && authDo($fum_user, $fum_pass))) {
?>
<table width="560" cellspacing="0" cellpadding="0" border="0">
<tr>
<td><font size="3"><b><i><? echo ($title) ? ($title) : ("File Upload Manager"); ?></i></b></font> <font style="text-decoration: bold; font-size: 9px;">v<?=$fum_vers?></font>
<?
#--Please do not remove my link/copyright as it is unfair and a breach of the license--#
echo"<a href=\"http://www.mtnpeak.net\" style=\"text-decoration: none; color: #C0C0C0; font-size: 9px; cursor: default\";>© thepeak</a>";
?>
</td>
</tr>
</table>
<?
if (!eregi("777",decoct(fileperms($dir_store))))
{
echo"<br><br><b><h4><font color=\"FF0000\">ERROR: cannot access the upload store file directory. please chmod the \"$dir_store\" directory with value 0777 (xrw-xrw-xrw)!</h4></font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">refresh</a>";
}
else
{
if (!$_FILES[fileupload])
{
?>
<table width="560" cellspacing="0" cellpadding="0" border="0" class="table_decoration" style="padding-top:5px;padding-left=5px;padding-bottom:5px;padding-right:5px">
<form method="post" enctype="multipart/form-data">
<tr>
<td>file:</td><td><input type="file" name="fileupload" class="textfield" size="30"></td>
</tr>
<tr>
<td>rename to:</td><td><input type="text" name="rename" class="textfield" size="46"></td>
</tr>
<tr>
<td>file types allowed:</td><td>
<?
for($i=0;$i<count($file_ext_allow);$i++)
{
if (($i<>count($file_ext_allow)-1))$commas=", ";else $commas="";
list($key,$value)=each($file_ext_allow);
echo $value.$commas;
}
?>
</td>
</tr>
<tr>
<td>file size limit:</td>
<td>
<b><?
if ($file_size_ind >= 1048576)
{
$file_size_ind_rnd = round(($file_size_ind/1024000),3) . " MB";
}
elseif ($file_size_ind >= 1024)
{
$file_size_ind_rnd = round(($file_size_ind/1024),2) . " KB";
}
elseif ($file_size_ind >= 0)
{
$file_size_ind_rnd = $file_size_ind . " bytes";
}
else
{
$file_size_ind_rnd = "0 bytes";
}
echo "$file_size_ind_rnd";
?></b>
</td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="upload" class="button"> <input type="reset" value="clear" class="button"></td>
</tr>
</form>
</table>
<?
if ((!$_GET[act]||!$_GET[file])&&$_GET[act]!="delall")
{
$opendir = @opendir($dir_store);
while ($readdir = @readdir($opendir))
{
if ($readdir<>"." && $readdir<>".." && $readdir != "index.html")
{
$filearr[] = $readdir;
}
$sort=array();
for($i=1;$i<=count($filearr);$i++)
{
$key = sizeof($filearr)-$i;
$file = $filearr[$key];
$sort[$i]=$file;
}
asort($sort);
}
?>
<br>
<table width="560" cellspacing="0" cellpadding="0" border="0" class="table_decoration" style="padding-left:5px">
<tr>
<td><b>admin tools:</b>
<?
if ($file_del_allow != 1 && $auth_ReqPass != 1)
{
echo"<i>none</i>";
}
if ($file_del_allow == 1 && $file_list_allow == 1 && (count($filearr) >= 1))
{
echo"<a href=\"javascript:;\" onClick=\"cf=confirm('Are you sure you want to delete ALL FILES?');if (cf)window.location='?act=delall'; return false;\" style=\"font-size: 9px;\"><delete all files></a>";
}
if ($auth_ReqPass == 1)
{
echo" <a href=\"$_SERVER[PHP_SELF]?logout=1\" style=\"font-size: 9px;\"><log-out><a>";
}
?>
</td>
</tr>
</table>
<br>
<?
if ($file_list_allow == 1 && (count($filearr) >= 1))
{
?>
<table width="560" cellspacing="0" cellpadding="0" border="0" class="table_decoration" style="padding-left:6px">
<tr bgcolor="#DBDBDB">
<td align="left" width="46%">FILE NAME</td>
<td align="center" width="12%">FILE TYPE</td>
<td align="center" width="12%">FILE SIZE</td>
<td align="center" width="30%">FUNCTIONS</td>
</tr>
<?
for($i=1;$i<=count($sort);$i++)
{
list($key,$value)=each($sort);
if ($value)
{
$value_en = base64_encode($value);
$value_view=$value;
if (strlen($value) >= 48)
{
$value_view = substr($value_view, 0, 45) . '...';
}
?>
<tr>
<td width="30%"><?="<a href=\"?act=view&file=$value_en\">$value_view</a>"?></td>
<td align="center" width="5%"><? echo strtoupper(getlast($value)); ?></td>
<td align="center" width="5%"><?
$value_full = $dir_store."/".$value;
$file_size = filesize($value_full);
if ($file_size >= 1048576)
{
$show_filesize = number_format(($file_size / 1048576),2) . " MB";
}
elseif ($file_size >= 1024)
{
$show_filesize = number_format(($file_size / 1024),2) . " KB";
}
elseif ($file_size >= 0)
{
$show_filesize = $file_size . " bytes";
}
else
{
$show_filesize = "0 bytes";
}
echo "$show_filesize";
?></td>
<td align="center" width="5%"><?="<a title=\"View File\" href=\"?act=view&file=$value_en\"><view></a>"?> |
<?
if ($file_del_allow == 1)
{
echo"<a title=\"Download file\" href=\"?act=dl&file=$value_en\"><dl></a>";
}
else
{
echo"<a title=\"Download file\" href=\"?act=dl&file=$value_en\"><download></a>";
}
if ($file_del_allow == 1)
{
echo" | <a title=\"Delete file\" href=\"javascript:;\" onClick=\"cf=confirm('Are you sure you want to delete this file?');if (cf)window.location='?act=del&file=$value_en'; return false;\"><delete></a>";
}
else
{
echo" ";
}
?>
</td>
</tr>
<?
}
else
{
echo"<br>";
}
}
?>
</table></center>
<?
}
}
elseif (($_GET[act]=="view")&&$_GET[file])
{
$value_de = base64_decode($_GET[file]);
echo"<script language=\"javascript\">\nViewPopup = window.open(\"$dir_store/$value_de\", \"fum_viewfile\", \"toolbar=no,status=no,menubar=no,scrollbars=yes,resizable=yes,location=no,width=640,height=480\")\nViewPopup.document.bgColor=\"#F7F7F7\"\nViewPopup.document.close()\n</script>";
echo"<br><img src=\"$dir_img/info.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">file opened!</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a><br><br><br>If the file did not display, you must <b>disable</b> your popup manager, or enable javascript in your browser.";
}
elseif (($_GET[act]=="del")&&$_GET[file])
{
$value_de = base64_decode($_GET[file]);
@unlink($dir_store."/$value_de");
echo"<br><img src=\"$dir_img/info.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">file has been deleted!</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
if ($_GET[act]=="delall")
{
$handle = opendir($dir_store);
while($file=readdir($handle))
if (($file != ".")&&($file != ".."))
@unlink($dir_store."/".$file);
closedir($handle);
echo"<br><img src=\"$dir_img/info.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">all files have been deleted!</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
}
else
{
echo"<br><br>";
$uploadpath=$dir_store."/";
$source=$_FILES[fileupload][tmp_name];
$fileupload_name=$_FILES[fileupload][name];
$weight=$_FILES[fileupload][size];
for($i=0;$i<count($file_ext_allow);$i++)
{
if (getlast($fileupload_name)!=$file_ext_allow[$i])
$test.="~~";
}
$exp=explode("~~",$test);
if (count($exp)==(count($file_ext_allow)+1))
{
echo"<br><img src=\"$dir_img/error.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">ERROR: your file type is not allowed (".getlast($fileupload_name).")</font>, or you didn't specify a file to upload.</b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
else
{
if ($weight>$file_size_ind)
{
echo"<br><img src=\"$dir_img/error.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">ERROR: please get the file size less than ".$file_size_ind." BYTES (".round(($file_size_ind/1024),2)." KB)</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
else
{
foreach($_FILES[fileupload] as $key=>$value)
{
echo"<font color=\"#3399FF\">$key</font> : $value <br>";
}
echo "<br>";
$dest = '';
if (($source != 'none') && ($source != '' ))
{
$dest=$uploadpath.$fileupload_name;
if ($dest != '')
{
if (file_exists($uploadpath.$fileupload_name))
{
echo"<br><img src=\"$dir_img/error.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">ERROR: that file has already been uploaded before, please choose another file</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
else
{
if (copy($source,$dest))
{
if ($_POST[rename])
{
$_POST[rename]=replace($_POST[rename]);
$exfile=explode(".",$fileupload_name);
if (@rename("$dir_store/$fileupload_name","$dir_store/$_POST[rename].".getlast($fileupload_name)))
{
echo"<br><img src=\"$dir_img/info.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">file has been renamed to $_POST[rename].".getlast($fileupload_name)."!</font></b></font><br>";
}
}
echo"<br><img src=\"$dir_img/info.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">file has been uploaded!</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
else
{
echo"<br><img src=\"$dir_img/error.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">ERROR: cannot upload, please chmod the dir to 777</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
}
}
}
}
}
}
}
#/# end of main script, start authentication code IF user not logged in IF $auth_ReqPass is enabled
}
else
{
echo("<p><img src=\"$dir_img/error.gif\" width=\"15\" height=\"15\"> Authentication error</p>" .
"<p><a href='$_SERVER[PHP_SELF]?logout=1'>Delete cookies and login again<a></p>");
}
}
else
{
if (!isset($login) || isset($relogin)) {
?>
<font size="3"><b><i><? echo ($title) ? ($title) : ("File Upload Manager"); ?></i> - Authentication</b></font><br><br>
<table class="table_auth"><tr><td><center>
Please enter the username and password to enter the restricted area.<br>
You must have cookies enabled in your browser to continue.
</center></td></tr></table>
<form action="<?=$_SERVER[PHP_SELF]?>?login=1" method="POST"><p>
Username: <input type="text" name="auth_formUser" size="20"><br>
Password: <input type="password" name="auth_formPass" size="20">
<p><input type="submit" name="submit" class="button" value="Log-In"></p>
</form></center>
<?
}
elseif (isset($login))
{
echo("<p>$auth_msg</p>" . "<p>You'll be redirected in 2 seconds!</p>");
}
}
?>
</body>
</html>OK that's the free script I am using? "copyrighted so hope it's OK to post it"
And yes it is a upload form that puts pictures in a directory and visitors can view.
Most positive checked web server logs and see the post command for that directory.
No shared Host ! only use a few PHP scripts on server - guestbook, email form, message board.
I am not a programmer so not really sure what you mean by shell commands. Just using PHP scripts, Don't have no execute permissions on any folder or directory "going to double check that now' Because I remember some files had to be CHMOD "full permissions"
Thanks again
Edited: Just searched Shell Commands- There are no user interface "GUI" that allows host to execute and control OS commands. "Hope I read that and understood it some what correct" Maybe just the PHP scripts because they do have write permissions and I think on one script it only worked with full permissions. Checking now.
PS: Server Is a windows BOX
And yes it is a upload form that puts pictures in a directory and visitors can view.
Are you sure it was uploaded via the website? It wouldn't be much use by itself over HTTP unless your web server is really insecure. It could however be executed on a shared host via the shell (or another script). Do you have any areas on your website that execute shell commands
Most positive checked web server logs and see the post command for that directory.
No shared Host ! only use a few PHP scripts on server - guestbook, email form, message board.
I am not a programmer so not really sure what you mean by shell commands. Just using PHP scripts, Don't have no execute permissions on any folder or directory "going to double check that now' Because I remember some files had to be CHMOD "full permissions"
Thanks again
Edited: Just searched Shell Commands- There are no user interface "GUI" that allows host to execute and control OS commands. "Hope I read that and understood it some what correct" Maybe just the PHP scripts because they do have write permissions and I think on one script it only worked with full permissions. Checking now.
PS: Server Is a windows BOX
Uploaded another one and it was license of one of my scripts. Guess this person is bored !
Found these flaws:
url to view a file: /index.php?act=view&file=d2VlLnBocC50eHQ=
url to delete the same file: /index.php?act=del&file=d2VlLnBocC50eHQ=
http://diswww.mit.edu/menelaus.mit.edu/bt/39137
here is server log;
89.52.52.202 - - [06/Mar/2006:08:18:31 -0800] "GET /upload/fileupload/index.php?act=view&file=d2ViYWRtaW4ucGhwLmdpZg== HTTP/1.1" 200 2283
IP from Germany "unless proxy"
so far i enabled password on script.
Any ideas where to add array's to validate uploads?
Found these flaws:
url to view a file: /index.php?act=view&file=d2VlLnBocC50eHQ=
url to delete the same file: /index.php?act=del&file=d2VlLnBocC50eHQ=
http://diswww.mit.edu/menelaus.mit.edu/bt/39137
here is server log;
89.52.52.202 - - [06/Mar/2006:08:18:31 -0800] "GET /upload/fileupload/index.php?act=view&file=d2ViYWRtaW4ucGhwLmdpZg== HTTP/1.1" 200 2283
IP from Germany "unless proxy"
so far i enabled password on script.
Any ideas where to add array's to validate uploads?
volito, may I ask: how do you use this script? From what I understand from you posts, you place it on your server and let people (anyone) upload pictures? As far as I know that will always be a big security problem. You'd better look around for a more secure script and make sure it is not accessible, by protecting the directory it is in.