About Php Files |
  |
About Php Files |
 Jul 28 2008, 06:02 PM
Post
#1
|
|
 Advanced Member  Group: Moderators Posts: 385 Joined: 6-July 08 Member No.: 9  |
I think everyone can upload "image.php.jpg" or "image.html.jpg". You should use this to prevent uploading those kind of images:
CODE $prefix = rand(1,9999); $this = array(" ","-","+",".php",".html"," +", "_+"); $replace = array("_","_","_","_","_","_","_"); $newname = $prefix . '_' . str_replace($this,$replace, $_FILES['file']['name']); I think that should do the trick. Also your security would be one step higher. 
-------------------- |
 |
 
|
|
Jul 28 2008, 06:53 PM
Post
#2
|
|
 Advanced Member Group: Moderators Posts: 125 Joined: 5-July 08 Member No.: 4 |
Nice Find !. Think Scripteen will use it?
I WONDER what is involved in making this (ANY?) script rock solid and hacker-resistant. There are Security audit companies out there - but I dont know IF they supply a solution to flaws. (AND im sure its expensive) Thank you Todx for the contribution
-------------------- |
|
|
|
|
Jul 28 2008, 07:04 PM
Post
#3
|
|
|
Member Group: Members Posts: 10 Joined: 8-July 08 Member No.: 12 |
which file do I edit that into?
|
|
|
|
|
Jul 28 2008, 07:35 PM
Post
#4
|
|
|
Advanced Member Group: Moderators Posts: 125 Joined: 5-July 08 Member No.: 4 |
QUOTE (DrewDennis @ Jul 28 2008, 08:04 PM)  which file do I edit that into? I suggest that this was intended for Scripteen to adapt and incorporate into the script for a future release. -------------------- |
|
|
|
|
Jul 28 2008, 07:39 PM
Post
#5
|
|
|
Advanced Member Group: Moderators Posts: 385 Joined: 6-July 08 Member No.: 9 |
Well, you have to edit the file uploader.php in directory inc, but dont modify the script by yourself, wait for scripteen to fix it. If he will use my code.
You can see this code in action, go to MY SITE and try uploading an image, with spaces and .php, it will rename everything to _. I realy hope you will fix security issues. QUOTE (T2L @ Jul 28 2008, 09:35 PM) I suggest that this was intended for Scripteen to adapt and incorporate into the script for a future release. Yes it was.
-------------------- |
|
|
|
|
Jul 29 2008, 10:08 AM
Post
#6
|
|
|
Advanced Member Group: Members Posts: 128 Joined: 6-July 08 Member No.: 7 |
i guess this code also solved the Foreing Language Character Problem
http://www.scripteen.com/forum/bug-reports...-a-bug-t59.htmleveryone can add their language characters manually to this code
|
|
|
|
|
Jul 29 2008, 01:31 PM
Post
#7
|
|
|
Advanced Member Group: Moderators Posts: 385 Joined: 6-July 08 Member No.: 9 |
QUOTE (ImageCrab @ Jul 29 2008, 11:08 AM) i guess this code also solved the Foreing Language Character Problem http://www.scripteen.com/forum/bug-reports...-a-bug-t59.htmleveryone can add their language characters manually to this code That's correct ImageCrab. Lets hope he will use this code.
-------------------- |
|
|
|
|
Aug 2 2008, 11:11 PM
Post
#8
|
|
|
Administrator Group: Root Admin Posts: 291 Joined: 19-June 08 Member No.: 1 |
The problem with that code is that there are various file types that can be excuted with harmful data like
.php .php3 .php4 .php5 .phtml .pl .py .jsp .asp .aspx .htm .html .shtml .sh .cgi To avoid this I have secured the images folder with .htaccess file to not to permit any files but image files to be run from there. -------------------- Ahmed Shafek
Scripteen.com CEO |
|
|
|
|
Aug 4 2008, 06:39 PM
Post
#9
|
|
|
Advanced Member Group: Moderators Posts: 385 Joined: 6-July 08 Member No.: 9 |
QUOTE (Scripteen @ Aug 2 2008, 11:11 PM) The problem with that code is that there are various file types that can be excuted with harmful data like .php .php3 .php4 .php5 .phtml .pl .py .jsp .asp .aspx .htm .html .shtml .sh .cgi To avoid this I have secured the images folder with .htaccess file to not to permit any files but image files to be run from there. If you inport my script in your, than even if someone will upload a .php3 or any other number at the end, the array ".php" will still be changed into _.
-------------------- |
|
|
|
|
Aug 4 2008, 08:12 PM
Post
#10
|
|
|
Advanced Member Group: Moderators Posts: 125 Joined: 5-July 08 Member No.: 4 |
I understand your persistence in safeguarding file execution by automatically altering the extension of the file. Whilst i DO believe this would be a reasonible safeguard I remember that we were looking to maintain a level of spider-friendliness and I suspect thats the path scripteen is pursuing. So although YOUR suggestion is a rock solid safeguard I feel its possibly unlikely Scripteen will adopt it (as a short-term fix) if he has progressed past and beyond that to a image renaming protocol that maintains the level of Spider-friendliness that we are all seeking.
Do not think I am shirking or belittling your proposal - just keeping other options Open 
-------------------- |
|
|
|
|
Aug 5 2008, 02:54 PM
Post
#11
|
|
|
Advanced Member Group: Moderators Posts: 385 Joined: 6-July 08 Member No.: 9 |
QUOTE (T2L @ Aug 4 2008, 09:12 PM) Do not think I am shirking or belittling your proposal - just keeping other options Open I know and understand what you mean. I'll stop bothering Scripteen with this code. -------------------- |
|
|
|
|
Aug 5 2008, 04:10 PM
Post
#12
|
|
|
Administrator Group: Root Admin Posts: 291 Joined: 19-June 08 Member No.: 1 |
QUOTE (Todx @ Aug 5 2008, 05:54 PM) I know and understand what you mean. I'll stop bothering Scripteen with this code. you are not bothering me at all. but the thing is that I have applied some other ways to prevent uploading malicous files and they work fine and I'm now preparing the download package for version 1.4 -------------------- Ahmed Shafek
Scripteen.com CEO |
|
|
|
|
| Lo-Fi Version - | SEO by MinervaSEO © Icelabz.net | Time is now: 21st November 2008 - 10:21 PM |
