Rip up My Code
Posted: Tue Mar 24, 2009 11:08 am
This is the php code for a Flash based CMS, and I'd like to know about any security loopholes. I'll try to explain the order of things that happens so that everyone knows what's going on and can find any loopholes 
The login screen is in flash, the typed username and password get sent to a php file for checking, no username or password info ever leaves the server. This is top of the page that the flash redirects to, sending the username and password that was typed as POST vars, the actual username and password are hard coded in:
I did the whole $thisdir thing because I've heard safari on mac has issues if you don't. I dunno if that is true, but I figured it was worth doing. From there the session id gets passed to flash, so that every time flash sends a URLRequest to the second php page that I'll post next, it can validate that the user is logged in via the session var. This php page is never directly gone to, just gets requests sent to it from flash, alowing flash to do different operations on the server:
I hard coded all allowed file types that can be edited, and also all folders that can be edited within, and I'm validatating that the file names don't have folder paths injected into them etc. And if the session var is not correct, i kill the script using die, AND change the opType to nothing so it won't run any operations even if for some odd reason die doesn't stop it.
I've definitely covered all security risks that I know of. It's the ones I don't know of that scare me
I'm an expert front end coder, but an intermediate php programmer, so I wanted to post here and gain some insight from the experts 
The login screen is in flash, the typed username and password get sent to a php file for checking, no username or password info ever leaves the server. This is top of the page that the flash redirects to, sending the username and password that was typed as POST vars, the actual username and password are hard coded in:
Code: Select all
<?php
$userName = "demo";
$password = "demo";
session_start();
$_SESSION["secure"] = false;
$fullpath = 'http://' . $HTTP_SERVER_VARS[HTTP_HOST] . $HTTP_SERVER_VARS[REQUEST_URI];
$thisfile = basename($fullpath);
$cutoff = strpos($fullpath, $thisfile);
$thisdir = substr($fullpath, 0, $cutoff);
if ($_POST['uName'] !== $userName || $_POST['pWord'] != $password)
{ header('location:' . $thisdir . 'forbidden.html'); die("Error!"); }
else
{ $_SESSION["secure"] = true; }
?>
Code: Select all
<?php
$allowed = array("jpg", "jpeg", "gif", "tiff", "tif", "png", "bmp", "psd", "ai", "eps", "mp3", "wav", "aif", "m3u", "swf", "wmv", "flv", "mov", "f4v", "avi", "html", "htm", "xml", "css", "js", "txt", "xsl","pdf", "fla", "zip", "doc");
$folders = array("code_editing_examples/", "preview_examples/", "file_types/");
set_magic_quotes_runtime(false);
function validateExtension($fname, $arr)
{
$fname = strtolower($fname) ;
$exts = explode(".", $fname);
return in_array($exts[count($exts)-1], $arr);
}
function validateFolder($fname, $arr)
{
return in_array($fname, $arr);
}
function doesntHaveFolders($fname)
{
$folderCheck = strpos($fname, "/") === false;
$upLevelCheck = strpos($fname, "..") === false;
return $folderCheck && upLevelCheck;
}
$opType = $_POST["action"];
session_id($_POST['id']);
session_start();
if ($_SESSION['secure'] !== true)
{
$opType = "NONE";
die("|FAILURE|");
}
if ($opType == "breakcache")
{
echo file_get_contents($_POST["file"], "rb");
}
else if ($opType == "readdir")
{
$folderToRead = $_POST["folder"];
if (validateFolder($folderToRead, $folders))
{
if ($handle = opendir($folderToRead))
{
while (false !== ($file = readdir($handle)))
{
if (true !== is_dir($file) && validateExtension($file, $allowed)) { echo "$file\n"; }
}
}
}
}
else if ($opType == "trash")
{
$toDelete = $_POST["folder"] . $_POST["item"];
if (validateExtension($toDelete, $allowed) && validateFolder($_POST["folder"], $folders) && doesntHaveFolders($_POST["item"]))
{
unlink($toDelete);
}
}
else if ($opType == "rename")
{
$oldFile = $_POST["folder"] . $_POST["oldName"];
$newFile = $_POST["folder"] . $_POST["newName"];
if (validateExtension($oldFile, $allowed) && validateExtension($newFile, $allowed) && validateFolder($_POST["folder"], $folders) && doesntHaveFolders($_POST["oldName"]) && doesntHaveFolders($_POST["newName"]))
{
rename($oldFile, $newFile);
}
}
else if ($opType == "upload")
{
$fullPath = $_POST["folder"] . $_POST["fileName"];
if (validateExtension($fullPath, $allowed) && validateFolder($_POST["folder"], $folders) && doesntHaveFolders($_POST["fileName"]))
{
move_uploaded_file($_FILES['Filedata']['tmp_name'], $fullPath);
chmod($fullPath, 0777);
echo "SUCCESS";
}
else
{
unlink($_FILES['Filedata']['tmp_name']);
echo "UPLOAD FAILURE";
}
}
else if ($opType == "savefile")
{
$fullPath = $_POST["folder"] . $_POST["fileName"];
$writeData = stripslashes($_POST["fileData"]);
if (validateExtension($fullPath, $allowed) && validateFolder($_POST["folder"], $folders) && doesntHaveFolders($_POST["fileName"]))
{
$fp = fopen($fullPath, "wb");
fwrite($fp, $writeData);
fclose($fp);
chmod($fullPath, 0777);
echo file_get_contents($fullPath, "rb");
}
}
else if ($opType == "readtypes")
{
echo implode("|", $allowed);
}
?>
I've definitely covered all security risks that I know of. It's the ones I don't know of that scare me