FalseProphet Posted January 1, 2011 Share Posted January 1, 2011 I'm allowing users to upload a file into a directory that is inside of my ftp's root directory(what is the proper term for this area anyway?) Anyway, I am uploading to this folder: + www.mywebsite.com/ + files/ + images/ - welcome.jpg + system/ - text.txt - index.php + upload/ <-- here, this one right here - an_uploaded_file.zip If I have a php script that downloads from this folder would I need to worry about someone doing something that is not intended? I don't want someone overwriting my index.php with their own. Link to comment https://forums.phpfreaks.com/topic/223134-how-secure-is-my-upload-routine/ Share on other sites More sharing options...
FalseProphet Posted January 2, 2011 Author Share Posted January 2, 2011 Anyone? Link to comment https://forums.phpfreaks.com/topic/223134-how-secure-is-my-upload-routine/#findComment-1153718 Share on other sites More sharing options...
trq Posted January 2, 2011 Share Posted January 2, 2011 Can't help much without code, but in general, you should be fine. Your uploading files outside of your web root. Link to comment https://forums.phpfreaks.com/topic/223134-how-secure-is-my-upload-routine/#findComment-1153740 Share on other sites More sharing options...
FalseProphet Posted January 2, 2011 Author Share Posted January 2, 2011 This is my download script: <?PHP $getID = strtolower($_GET['file']); $fileID = "../../../uploads/" . $getID; if (strstr($getID,"\\") || strstr($getID,"/") || strstr($getID,"../") || strstr($getID,"%") != TRUE) { // header code below taken from php.net if (file_exists($fileID)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename=' . basename($fileID)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($fileID)); ob_clean(); flush(); readfile($fileID); } // header code above taken from php.net else { echo "File does not exist on the server!"; } } else { echo "Illegal string not allowed."; } ?> Link to comment https://forums.phpfreaks.com/topic/223134-how-secure-is-my-upload-routine/#findComment-1153839 Share on other sites More sharing options...
FalseProphet Posted January 2, 2011 Author Share Posted January 2, 2011 I lost the ability to edit my post..? Anyway, here is my Upload script and my download script. Upload.php <?PHP $fileName = $_FILES['fileupload']['name']; $pathUploads = "../../../uploads/" . $_FILES['fileupload']['name']; if (strstr($_FILES['fileupload']['name'],"../") || strstr($_FILES['fileupload']['name'],"%") != TRUE) { if(move_uploaded_file($_FILES["fileupload"]["tmp_name"], $pathUploads)) { echo "File uploaded successfully.<br>Download link: <font color=#0055ff>http://mywebsite.com/system/temp/download.php?file=$fileName</font>"; echo "<br> This link is CASE SENSITIVE!"; } else { echo "File size exceeded. Maximum size: 2MB"; } } else { echo "File contains illegal characters."; } ?> Download.php <?PHP $getID = $_GET['file']; $fileID = "../../../uploads/" . $getID; if (strstr($getID,"\\") || strstr($getID,"/") || strstr($getID,"../") || strstr($getID,"%") != TRUE) { // header code below taken from php.net if (file_exists($fileID)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename=' . basename($fileID)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($fileID)); ob_clean(); flush(); readfile($fileID); } // header code above taken from php.net else { echo "File does not exist on the server!"; } } else { echo "Illegal string not allowed."; } ?> Link to comment https://forums.phpfreaks.com/topic/223134-how-secure-is-my-upload-routine/#findComment-1153851 Share on other sites More sharing options...
FalseProphet Posted January 3, 2011 Author Share Posted January 3, 2011 anyone? Link to comment https://forums.phpfreaks.com/topic/223134-how-secure-is-my-upload-routine/#findComment-1154158 Share on other sites More sharing options...
FalseProphet Posted January 4, 2011 Author Share Posted January 4, 2011 Bring up my post! Link to comment https://forums.phpfreaks.com/topic/223134-how-secure-is-my-upload-routine/#findComment-1154441 Share on other sites More sharing options...
FalseProphet Posted January 4, 2011 Author Share Posted January 4, 2011 I managed to "hack" my own site through exploiting the download script. So no, its not secure at all. Link to comment https://forums.phpfreaks.com/topic/223134-how-secure-is-my-upload-routine/#findComment-1154559 Share on other sites More sharing options...
the182guy Posted January 4, 2011 Share Posted January 4, 2011 You need to check the filename that you are accepting via GET. Make sure it is just plain text with no slashes and the period is not the first character. In both upload and download I would check the file extension aswell, and in the upload check the MIME type too. Link to comment https://forums.phpfreaks.com/topic/223134-how-secure-is-my-upload-routine/#findComment-1154560 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.