The login screen is in flash, the typed username and password get sent to a php file for checking, no username or password info ever leaves the server. This is top of the page that the flash redirects to, sending the username and password that was typed as POST vars, the actual username and password are hard coded in:
Code: Select all
<?php
$userName = "demo";
$password = "demo";
session_start();
$_SESSION["secure"] = false;
$fullpath = 'http://' . $HTTP_SERVER_VARS[HTTP_HOST] . $HTTP_SERVER_VARS[REQUEST_URI];
$thisfile = basename($fullpath);
$cutoff = strpos($fullpath, $thisfile);
$thisdir = substr($fullpath, 0, $cutoff);
if ($_POST['uName'] !== $userName || $_POST['pWord'] != $password)
{ header('location:' . $thisdir . 'forbidden.html'); die("Error!"); }
else
{ $_SESSION["secure"] = true; }
?>
Code: Select all
<?php
$allowed = array("jpg", "jpeg", "gif", "tiff", "tif", "png", "bmp", "psd", "ai", "eps", "mp3", "wav", "aif", "m3u", "swf", "wmv", "flv", "mov", "f4v", "avi", "html", "htm", "xml", "css", "js", "txt", "xsl","pdf", "fla", "zip", "doc");
$folders = array("code_editing_examples/", "preview_examples/", "file_types/");
set_magic_quotes_runtime(false);
function validateExtension($fname, $arr)
{
$fname = strtolower($fname) ;
$exts = explode(".", $fname);
return in_array($exts[count($exts)-1], $arr);
}
function validateFolder($fname, $arr)
{
return in_array($fname, $arr);
}
function doesntHaveFolders($fname)
{
$folderCheck = strpos($fname, "/") === false;
$upLevelCheck = strpos($fname, "..") === false;
return $folderCheck && upLevelCheck;
}
$opType = $_POST["action"];
session_id($_POST['id']);
session_start();
if ($_SESSION['secure'] !== true)
{
$opType = "NONE";
die("|FAILURE|");
}
if ($opType == "breakcache")
{
echo file_get_contents($_POST["file"], "rb");
}
else if ($opType == "readdir")
{
$folderToRead = $_POST["folder"];
if (validateFolder($folderToRead, $folders))
{
if ($handle = opendir($folderToRead))
{
while (false !== ($file = readdir($handle)))
{
if (true !== is_dir($file) && validateExtension($file, $allowed)) { echo "$file\n"; }
}
}
}
}
else if ($opType == "trash")
{
$toDelete = $_POST["folder"] . $_POST["item"];
if (validateExtension($toDelete, $allowed) && validateFolder($_POST["folder"], $folders) && doesntHaveFolders($_POST["item"]))
{
unlink($toDelete);
}
}
else if ($opType == "rename")
{
$oldFile = $_POST["folder"] . $_POST["oldName"];
$newFile = $_POST["folder"] . $_POST["newName"];
if (validateExtension($oldFile, $allowed) && validateExtension($newFile, $allowed) && validateFolder($_POST["folder"], $folders) && doesntHaveFolders($_POST["oldName"]) && doesntHaveFolders($_POST["newName"]))
{
rename($oldFile, $newFile);
}
}
else if ($opType == "upload")
{
$fullPath = $_POST["folder"] . $_POST["fileName"];
if (validateExtension($fullPath, $allowed) && validateFolder($_POST["folder"], $folders) && doesntHaveFolders($_POST["fileName"]))
{
move_uploaded_file($_FILES['Filedata']['tmp_name'], $fullPath);
chmod($fullPath, 0777);
echo "SUCCESS";
}
else
{
unlink($_FILES['Filedata']['tmp_name']);
echo "UPLOAD FAILURE";
}
}
else if ($opType == "savefile")
{
$fullPath = $_POST["folder"] . $_POST["fileName"];
$writeData = stripslashes($_POST["fileData"]);
if (validateExtension($fullPath, $allowed) && validateFolder($_POST["folder"], $folders) && doesntHaveFolders($_POST["fileName"]))
{
$fp = fopen($fullPath, "wb");
fwrite($fp, $writeData);
fclose($fp);
chmod($fullPath, 0777);
echo file_get_contents($fullPath, "rb");
}
}
else if ($opType == "readtypes")
{
echo implode("|", $allowed);
}
?>
I've definitely covered all security risks that I know of. It's the ones I don't know of that scare me