rotoxis Posted May 23, 2009 Share Posted May 23, 2009 <? error_reporting(7); $max_file_size="1024"; $max_combined_size="2048"; $file_uploads="2"; $websitename="Security Test."; $random_name=true; $allow_types=array("jpg","gif","png"); $folder="./uploads/"; $full_url="http://www.url.info/uploads/"; $fullpath=""; $password=""; $password_md5=md5($password); If($password) { If($_POST['verify_password']==true) { If(md5($_POST['check_password'])==$password_md5) { setcookie("phUploader",$password_md5,time()+86400); sleep(1); header("Location: http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']); exit; } } } $password_form=""; If($password) { If($_COOKIE['phUploader']!=$password_md5) { $password_form="<form method=\"POST\" action=\"".$_SERVER['PHP_SELF']."\">\n"; $password_form.="<table align=\"center\" class=\"table\">\n"; $password_form.="<tr>\n"; $password_form.="<td width=\"100%\" class=\"table_header\" colspan=\"2\">Password Required</td>\n"; $password_form.="</tr>\n"; $password_form.="<tr>\n"; $password_form.="<td width=\"35%\" class=\"table_body\">Enter Password:</td>\n"; $password_form.="<td width=\"65%\" class=\"table_body\"><input type=\"password\" name=\"check_password\" /></td>\n"; $password_form.="</tr>\n"; $password_form.="<td colspan=\"2\" align=\"center\" class=\"table_body\">\n"; $password_form.="<input type=\"hidden\" name=\"verify_password\" value=\"true\">\n"; $password_form.="<input type=\"submit\" value=\" Verify Password \" />\n"; $password_form.="</td>\n"; $password_form.="</tr>\n"; $password_form.="</table>\n"; $password_form.="</form>\n"; } } function get_ext($key) { $key=strtolower(substr(strrchr($key, "."), 1)); $key=str_replace("jpeg","jpg",$key); return $key; } $ext_count=count($allow_types); $i=0; foreach($allow_types AS $extension) { If($i <= $ext_count-2) { $types .="*.".$extension.", "; } Else { $types .="*.".$extension; } $i++; } unset($i,$ext_count); $error=""; $display_message=""; $uploaded==false; If($_POST['submit']==true AND !$password_form) { For($i=0; $i <= $file_uploads-1; $i++) { If($_FILES['file']['name'][$i]) { $ext=get_ext($_FILES['file']['name'][$i]); $size=$_FILES['file']['size'][$i]; $max_bytes=$max_file_size*1024; If($random_name){ $file_name[$i]=time()+rand(0,100000).".".$ext; } Else { $file_name[$i]=$_FILES['file']['name'][$i]; } If(!in_array($ext, $allow_types)) { $error.= "Invalid extension for your file: ".$_FILES['file']['name'][$i].", only ".$types." are allowed.<br />Your file(s) were <b>not</b> uploaded.<br />"; } Elseif($size > $max_bytes) { $error.= "Your file: ".$_FILES['file']['name'][$i]." is to big. Max file size is ".$max_file_size."kb.<br />Your file(s) were <b>not</b> uploaded.<br />"; } Elseif(file_exists($folder.$file_name[$i])) { $error.= "The file: ".$_FILES['file']['name'][$i]." exists on this server, please rename your file.<br />Your file(s) were <b>not</b> uploaded.<br />"; } } } $total_size=array_sum($_FILES['file']['size']); $max_combined_bytes=$max_combined_size*1024; If($total_size > $max_combined_bytes) { $error.="The max size allowed for all your files combined is ".$max_combined_size."kb<br />"; } If($error) { $display_message=$error; } Else { For($i=0; $i <= $file_uploads-1; $i++) { If($_FILES['file']['name'][$i]) { If(@move_uploaded_file($_FILES['file']['tmp_name'][$i],$folder.$file_name[$i])) { $uploaded=true; } Else { $display_message.="Couldn't copy ".$file_name[$i]." to server, please make sure ".$folder." is chmod 777 and the path is correct.\n"; } } } } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Language" content="en-us" /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title><?php echo $websitename; ?> - Powered By ?</title> <style type="text/css"> body{ background-color:#FFFFFF; font-family: Verdana, Arial, sans-serif; font-size: 12pt; color: #000000; } .error_message{ font-family: Verdana, Arial, sans-serif; font-size: 11pt; color: #FF0000; } .uploaded_message{ font-family: Verdana, Arial, sans-serif; font-size: 11pt; color: #000000; } a:link{ text-decoration:none; color: #000000; } a:visited{ text-decoration:none; color: #000000; } a:hover{ text-decoration:none; color: #000000; } .table { border-collapse:collapse; border:1px solid #000000; width:450px; } .table_header{ border:1px solid #070707; background-color:#C03738; font-family: Verdana, Arial, sans-serif; font-size: 11pt; font-weight:bold; color: #FFFFFF; text-align:center; padding:2px; } .upload_info{ border:1px solid #070707; background-color:#EBEBEB; font-family: Verdana, Arial, sans-serif; font-size: 8pt; color: #000000; padding:4px; } .table_body{ border:1px solid #070707; background-color:#EBEBEB; font-family: Verdana, Arial, sans-serif; font-size: 10pt; color: #000000; padding:2px; } .table_footer{ border:1px solid #070707; background-color:#C03738; text-align:center; padding:2px; } input,select,textarea { font-family: Verdana, Arial, sans-serif; font-size: 10pt; color: #000000; background-color:#AFAEAE; border:1px solid #000000; } .copyright { border:0px; font-family: Verdana, Arial, sans-serif; font-size: 9pt; color: #000000; text-align:right; } form{ padding:0px; margin:0px; } </style> <? If($password_form) { Echo $password_form; } Elseif($uploaded==true) {?> <table align="center"class="table"> <tr> <td class="table_header" colspan="2"><b>Your file(s) have been uploaded!</b> </td> </tr> <tr> <td class="table_body"> <br /> <? For($i=0; $i <= $file_uploads-1; $i++) { If($_FILES['file']['name'][$i]) { $file=$i+1; Echo("<b>File #".$file.":</b> <a href=\"".$full_url.$file_name[$i]."\" target=\"_blank\">".$full_url.$file_name[$i]."</a><br /><br />\n"); } } ?> <br /> <a href="<?=$_SERVER['PHP_SELF'];?>">Go Back</a> <br /> </td> </tr> </table> <?} Else {?> <?If($display_message){?> <div align="center" class="error_message"><?=$display_message;?></div> <br /> <?}?> <form action="<?=$_SERVER['PHP_SELF'];?>" method="post" enctype="multipart/form-data" name="phuploader"> <table align="center"class="table"> <tr> <td class="table_header" colspan="2"><b><?=$websitename;?></b> </td> </tr> <tr> <td colspan="2" class="upload_info"> <b>Allowed Types:</b> <?=$types?><br /> <b>Max size per file:</b> <?=$max_file_size?>kb.<br /> <b>Max size for all files combined:</b> <?=$max_combined_size?>kb.<br /> </td> </tr> <?For($i=0;$i <= $file_uploads-1;$i++) {?> <tr> <td class="table_body" width="20%"><b>Select File:</b> </td> <td class="table_body" width="80%"><input type="file" name="file[]" size="30" /></td> </tr> <?}?> <tr> <td colspan="2" align="center" class="table_footer"> <input type="hidden" name="submit" value="true" /> <input type="submit" value=" Upload File(s) " /> <input type="reset" name="reset" value=" Reset Form " /> </td> </tr> </table> </form> <?}//Footer?> <table width="703" align="center" class="table" style="border:0px;"> <tr> <td width="695"><div class="copyright">©<a href="http://www.url.info" target="_blank" title="Security">Security Test</a></div></td> </tr> </table> </body> </html> Is that script 100% Secure ? Thanks in Advanced Link to comment https://forums.phpfreaks.com/topic/159371-bug-test/ Share on other sites More sharing options...
MadTechie Posted May 23, 2009 Share Posted May 23, 2009 First off theirs no such thing as 100% secure, I just quickly read the script and wrote some notes, okay well the unless i missed something and providing your site is also secure it looks okay (a few things i would change) heres my notes hope they help storing the MD5 password in a cookie isn't a good idea, Why not have a session thats just set to true $_SESSION['allowUploads'] = true; //the the username or IP etc etc also $_SERVER['PHP_SELF'] can be used to inject HTML ie mypage.php?a=<script>alert('hello');</script> as for checking extensions, personally I use a MIME test as well! try to use long php tags <?php instead of <? for portability I don't like your random name idea $file_name[$i]=time()+rand(0,100000).".".$ext; Just say the random number is 60 then 55 seconds later someone gets a random number 5 So that i would change. Link to comment https://forums.phpfreaks.com/topic/159371-bug-test/#findComment-840628 Share on other sites More sharing options...
rotoxis Posted May 23, 2009 Author Share Posted May 23, 2009 Cheers mate Ill start fixing the issues How can i fix the XSS ? Link to comment https://forums.phpfreaks.com/topic/159371-bug-test/#findComment-840631 Share on other sites More sharing options...
MadTechie Posted May 23, 2009 Share Posted May 23, 2009 if the page is an index.php page then you don't need to use $_SERVER['PHP_SELF'] so header("Location: http://".$_SERVER['HTTP_HOST']); would be fine escaping it maybe an option ie $PHP_SELF = htmlentities($_SERVER['PHP_SELF']); Link to comment https://forums.phpfreaks.com/topic/159371-bug-test/#findComment-840632 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.