File Manage 2.0.0

[bobbfwed]

I have been working on this project for quite some time, and have just recently released version 2.0. In short: PHP Remote File Management System (File Manage for short) is an easy-to-use PHP system that allows multiple users to view, edit, delete, copy, rename, and move files and directories anywhere on the host computer. I've had it described as a PHP-based FTP system. But you have some extra flexibility that FTPs don't have.

 

I'd love if some of you tried it out and me know what you think of the new version. Maybe some things that should be added or changed!

Check it out on Source Forge.net here: https://sourceforge.net/projects/filemanage/

[Adam]

Could you not provide a test account?

 

If your answer is no because of file security, perhaps an improvement you should be thinking about is being able to limit access to directories?

 

Adam

[bobbfwed]

I'm not quite sure what you mean by a test account. Do you mean on a server of mine?

The setup of the program on your own system can be installed in about 30 seconds (setup by a setup wizard/script).

 

The program does have complete support for limiting users' access to files and directories (setup by admins or moderators of the system). The problem is, a lot of the good features that the program has, I don't want to give to every joe schmoe on this website, thus yourown setup would be a better example of the power of the this application.

 

I will try to setup the program on a server I have. Hopefully later today that can be up.

 

FYI: Version 2.0.1 will hopefully be released this weekend or early next week.

[darkfreaks]

this is a good function to have to clean up injection 

 

 

<?php
function clean($var)
{ $var=mysql_real_escape_string(trim(strip_tags(htmlspecialchars($var))));
 return filter_var($var,FILTER_SANITIZE_STRING);
}

//changed line 220 filemanage2.php
echo 'Try <a href="'.clean(SELF).'?loc=/">ROOT</a> or contact an administrator for assistance.</font>';

//changed line 178 filemanage2.php
  echo '<h2>Path: <b>'.clean(dir_nav(LOC)).'</b></h2>';
?>

[darkfreaks]

screw the function get rid of it and just put htmlspecialchars()  on those 2 lines

[bobbfwed]

at what point would the file name have to be so filtered? Unless the admin puts some weird characters in the file name, SELF (just a constant of $_SERVER['PHP_SELF']) should be fairly safe.

Were you having problems with it? If so, can you post a bug at sourceforge.net? And let me know how to duplicate it.

 

BTW: 2.0.1 has been release (download at the link the first post). Not too many major changes, but we are already working on 2.0.2 (more minor changes) and 2.1.0 which is going to have some hefty interface changes, and integration with a templating engine for easy UI modification and simpler development.

[darkfreaks]

http://pixybox.seclab.tuwien.ac.at/pixy/results.php?id=pixy_1228525164f4S01f

 

look for yourself 

 

those exploits go away when you put htmlspecialchars() infront of it 

[bobbfwed]

http://pixybox.seclab.tuwien.ac.at/pixy/output/pixy_1228526737jF1lqx/xss_pixy_1228526737jF1lqx_1_min.dot.png doesn't tell me anything...

I'm doing it because some computer told it not doing it was bad. Could you explain why this is a vulnerability?

[darkfreaks]

because if you dont clean up injection when you echo it out and pass it through a link someone could change the variable to something nasty.

[bobbfwed]

But the link to nastiness would only affect the user that did the "injecting" right?

 

Well, either way, I have added the htmlspecialchars to the SELF variable, and have added it to the return of dir_nav, so it should no longer be a problem. Of course this app is more than just this one file...so I'll have to take this all into consideration with ther other stuff as well.

[darkfreaks]

that's the only one i could find cant wait for the next release let us know