happypete Posted September 14, 2012 Author Share Posted September 14, 2012 thanks. it didn't work at first but too out some white space: <LimitExcept GET POST DELETE> require valid-user </LimitExcept> Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1377931 Share on other sites More sharing options...
happypete Posted September 18, 2012 Author Share Posted September 18, 2012 Made some changes to enhance the file upload security: URL: http://bit.ly/QfI6od Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1378797 Share on other sites More sharing options...
darkfreaks Posted September 18, 2012 Share Posted September 18, 2012 either your server is down or i am IP banned can you check Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1378845 Share on other sites More sharing options...
happypete Posted September 18, 2012 Author Share Posted September 18, 2012 Site is not currently down. If your IP is blocked I can only unblock it if you are happy to let me know what it is.... Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1378915 Share on other sites More sharing options...
happypete Posted September 19, 2012 Author Share Posted September 19, 2012 Image upload code: <?php // check user logged in include('db.inc.php'); require ('htmlpure/HTMLPurifier.standalone.php'); // Check if coming from a POST command and Cancel if($_SERVER['REQUEST_METHOD']=='POST' && $_POST['submit']=='Return to gallery') { // If cancelled return to index page header('Location: gallery.php?success=5'); exit; } // Check if coming from a POST command and Upload if($_SERVER['REQUEST_METHOD']=='POST' && $_POST['submit']=='Upload') { // File Size Check @session_start(); $file_size = filesize($_FILES['image']['tmp_name']); if($file_size === 0) { $_SESSION['msg'] = 'That was an empty file!'; header('Location: gallery-upload.php'); exit; } else if($file_size >= (2480000)) { $_SESSION['msg'] = 'Image size is to big. Max upload 2MB'; header('Location: gallery-upload.php'); exit; } else if(!preg_match('/(JPE?G|PNG|GIF)/i', $_FILES['image']['name'])) { $_SESSION['msg'] = 'Invalid image format only JPG, PNG & GIF formts'; header('Location: gallery-upload.php'); exit; } else if(strpos($_FILES['image']['name'],'php')) { $_SESSION['msg'] = 'Invalid image format only JPG, PNG & GIF formts.'; header('Location: gallery-upload.php'); exit; } else if(substr_count($_FILES['image']['name'], '.')>1){ //check double file type $_SESSION['msg'] = 'Invalid image format only JPG, PNG & GIF formts..'; header('Location: gallery-upload.php'); exit; } $newPath = '' . basename($_FILES['image']['name']); (move_uploaded_file($_FILES['image']['tmp_name'], $newPath)); // *** Include the class include("inc/resize-class.php"); // *** Create 'random number' + 'vacation_rentals' for image name $imagename = time() . '_' . mt_rand(1000,9999) . '_' . 'vacation_rentals' . '.jpg'; // What Directories to put the images $largelocation = '/home/palermo/public_html/'.$siteid.'/images/'; $thumblocation = '/home/palermo/public_html/'.$siteid.'/images/thumb/'; //thumbnail location $large = $largelocation . $imagename; $thumb = $thumblocation . $imagename; // *** 1) Initialise / load image $resizeObj = new resize($newPath); // *** 2) Resize LARGE image (options: exact, portrait, landscape, auto, crop) $resizeObj -> resizeImage(667, 500); //was 650, 487 // *** 3) Save image + define quality $resizeObj -> saveImage($large, 95); // *** 4) Initialise / load image for second resize $resizeObj = new resize($newPath); // *** 5) Resize THUMB (options: exact, portrait, landscape, auto, crop) $resizeObj -> resizeImage(150, 100, 'crop'); //was 220, 165 // *** 6) Save image + define quality $resizeObj -> saveImage($thumb, 95); // Remove file from temp Directory unlink($newPath) ; // Find the highest number in the 'rank' row and add 1 // so uploaded photos appear at end of gallery $stmt = $db->prepare('SELECT max(rank) FROM photos'); $stmt->execute(); $e = $stmt->fetch(); $num = max($e); $order = $num+1; // Insert image into gallery $config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); $clean_html1 = $purifier->purify($_POST['description']); $stmt = $db->prepare('INSERT INTO photos (siteid, description, src, rank) VALUES (?,?,?,?)'); $stmt->execute(array( (int) $siteid, $clean_html1, $imagename, $order)); // Get the last ID to display image on upload page $id_obj = $db->query("SELECT LAST_INSERT_ID()"); $id = $id_obj->fetch(); $id_obj->closeCursor(); // once updated return to gallery upload image page 'id' to show uploaded image on uploads page header('Location: gallery-upload.php?success=3&id='.$id[0]); exit; } else { // If nothing happens header('Location: gallery-upload.php?success=5'); exit; } ?> Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379167 Share on other sites More sharing options...
happypete Posted September 19, 2012 Author Share Posted September 19, 2012 Image upload code: <?php include('db.inc.php'); require ('htmlpure/HTMLPurifier.standalone.php'); // Check if coming from a POST command and Cancel if($_SERVER['REQUEST_METHOD']=='POST' && $_POST['submit']=='Return to gallery') { // If cancelled return to index page header('Location: gallery.php?success=5'); exit; } // Check if coming from a POST command and Upload if($_SERVER['REQUEST_METHOD']=='POST' && $_POST['submit']=='Upload') { // File Size Check @session_start(); $file_size = filesize($_FILES['image']['tmp_name']); if($file_size === 0) { $_SESSION['msg'] = 'That was an empty file!'; header('Location: gallery-upload.php'); exit; } else if($file_size >= (2480000)) { $_SESSION['msg'] = 'Image size is to big. Max upload 2MB'; header('Location: gallery-upload.php'); exit; } else if(!preg_match('/(JPE?G|PNG|GIF)/i', $_FILES['image']['name'])) { $_SESSION['msg'] = 'Invalid image format only JPG, PNG & GIF formts'; header('Location: gallery-upload.php'); exit; } else if(strpos($_FILES['image']['name'],'php')) { $_SESSION['msg'] = 'Invalid image format only JPG, PNG & GIF formts.'; header('Location: gallery-upload.php'); exit; } else if(substr_count($_FILES['image']['name'], '.')>1){ //check double file type $_SESSION['msg'] = 'Invalid image format only JPG, PNG & GIF formts..'; header('Location: gallery-upload.php'); exit; } $newPath = '' . basename($_FILES['image']['name']); (move_uploaded_file($_FILES['image']['tmp_name'], $newPath)); // *** Include the class include("inc/resize-class.php"); // *** Create 'random number' + 'vacation_rentals' for image name $imagename = time() . '_' . mt_rand(1000,9999) . '_' . 'vacation_rentals' . '.jpg'; // What Directories to put the images $largelocation = '/home/palermo/public_html/'.$siteid.'/images/'; $thumblocation = '/home/palermo/public_html/'.$siteid.'/images/thumb/'; //thumbnail location $large = $largelocation . $imagename; $thumb = $thumblocation . $imagename; // *** 1) Initialise / load image $resizeObj = new resize($newPath); // *** 2) Resize LARGE image (options: exact, portrait, landscape, auto, crop) $resizeObj -> resizeImage(667, 500); //was 650, 487 // *** 3) Save image + define quality $resizeObj -> saveImage($large, 95); // *** 4) Initialise / load image for second resize $resizeObj = new resize($newPath); // *** 5) Resize THUMB (options: exact, portrait, landscape, auto, crop) $resizeObj -> resizeImage(150, 100, 'crop'); //was 220, 165 // *** 6) Save image + define quality $resizeObj -> saveImage($thumb, 95); // Remove file from temp Directory unlink($newPath) ; // Find the highest number in the 'rank' row and add 1 // so uploaded photos appear at end of gallery $stmt = $db->prepare('SELECT max(rank) FROM photos'); $stmt->execute(); $e = $stmt->fetch(); $num = max($e); $order = $num+1; // Insert image into gallery $config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); $clean_html1 = $purifier->purify($_POST['description']); $stmt = $db->prepare('INSERT INTO photos (siteid, description, src, rank) VALUES (?,?,?,?)'); $stmt->execute(array( (int) $siteid, $clean_html1, $imagename, $order)); // Get the last ID to display image on upload page $id_obj = $db->query("SELECT LAST_INSERT_ID()"); $id = $id_obj->fetch(); $id_obj->closeCursor(); // once updated return to gallery upload image page 'id' to show uploaded image on uploads page header('Location: gallery-upload.php?success=3&id='.$id[0]); exit; } else { // If nothing happens header('Location: gallery-upload.php?success=5'); exit; } ?> Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379168 Share on other sites More sharing options...
happypete Posted September 19, 2012 Author Share Posted September 19, 2012 I also put a .htaccess file in the uploads directory: # secure directory by disabling script execution AddHandler cgi-script .php .pl .py .jsp .asp .htm .html .shtml .sh .cgi. Options -ExecCGI Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379181 Share on other sites More sharing options...
darkfreaks Posted September 19, 2012 Share Posted September 19, 2012 can you unban my ip again? Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379204 Share on other sites More sharing options...
happypete Posted September 19, 2012 Author Share Posted September 19, 2012 can you unban my ip again? done Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379239 Share on other sites More sharing options...
darkfreaks Posted September 19, 2012 Share Posted September 19, 2012 while the CGI code stops script execution it does not stop file uploads.[+1 layer of security] no where in your code does it have an array of what extension types are disallowed(blacklist). [+1 layer of security] and instead of checking images using preg_match you would be better suited using getimagesize [+1 layer of security] Securing your image upload form Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379241 Share on other sites More sharing options...
happypete Posted September 19, 2012 Author Share Posted September 19, 2012 added a blacklist: $blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml", ".pl" ,".py", ".php5", ".htm", ".html", ".zip", ".exe", ".htaccess"); foreach ($blacklist as $file) { if(preg_match("/$file\$/i", $_FILES['image']['name'])) { $_SESSION['msg'] = 'blacklisted'; header('Location: header-image.php'); exit; }} tried using getimagesize() but it just stopped all images... sorry but didn't understand this bit: "while the CGI code stops script execution it does not stop file uploads" what are you suggesting I do? Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379387 Share on other sites More sharing options...
darkfreaks Posted September 19, 2012 Share Posted September 19, 2012 could try image mime types for extensions and a whitelist array of allowed extensions. $allowedexts = array('gif','jpeg','jpg','png'); $extension = end(explode(".", $_FILES["image"]["name"])); if($_FILES["image"]["type"]=="image/jpeg"| |$_FILES["image"]["type"]=="image/gif"||$_FILES["image"]["type"]=="image/png" && in_array($extension,$allowedexts)){} Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379393 Share on other sites More sharing options...
happypete Posted September 19, 2012 Author Share Posted September 19, 2012 could try image mime types for extensions and a whitelist array of allowed extensions. $allowedexts = array('gif','jpeg','jpg','png'); $extension = end(explode(".", $_FILES["image"]["name"])); if($_FILES["image"]["type"]=="image/jpeg"| |$_FILES["image"]["type"]=="image/gif"||$_FILES["image"]["type"]=="image/png" && in_array($extension,$allowedexts)){} Will that be better than what I already have? else if(!preg_match('/(JPE?G|PNG|GIF)/i', $_FILES['image']['name'])) { $_SESSION['msg'] = 'Invalid image format only JPG, PNG & GIF formts'; header('Location: header-image.php'); exit; } I'm giving each file a new name and changing it to a .jpg.. The uploads will only be accessible after login to an individual account & are not located in the root folder Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379414 Share on other sites More sharing options...
darkfreaks Posted September 19, 2012 Share Posted September 19, 2012 it is a better way to check for images versus preg_match so if you only intend to allow Jpeg and GIF take out png from the array so it only allows gif ,jpeg and jpg files and if it doesn't match, to error. $allowedexts = array('gif','jpeg','jpg'); $extension = end(explode(".", $_FILES["image"]["name"])); if($_FILES["image"]["type"]=="image/jpeg"| |$_FILES["image"]["type"]=="image/gif" && in_array($extension,$allowedexts)){ //if match JPEG/JPG or GIF run code }else { //print error here } Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379422 Share on other sites More sharing options...
happypete Posted September 19, 2012 Author Share Posted September 19, 2012 thanks Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379423 Share on other sites More sharing options...
darkfreaks Posted September 19, 2012 Share Posted September 19, 2012 let me know when it is implemented and my ip removed and i will see if this is any better. Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379424 Share on other sites More sharing options...
happypete Posted September 19, 2012 Author Share Posted September 19, 2012 IP block removed ready for testing: /accounts/gallery-uploadupdate.php /accounts/header-imageupdate.php /accounts/index-imageupdate.php http://bit.ly/QfI6od Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379457 Share on other sites More sharing options...
darkfreaks Posted September 20, 2012 Share Posted September 20, 2012 https://www.owasp.org/index.php/Unrestricted_File_Upload just read that apparently using white and black list is a piss poor method and can both be bypassed. according to OWASP standards. not sure where to go from here. Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379470 Share on other sites More sharing options...
happypete Posted September 20, 2012 Author Share Posted September 20, 2012 Some protection is better than no protection... It will be an individual user who signs in and has access to the form so it's not as if it will be an open upload option to anyone.... Link to comment https://forums.phpfreaks.com/topic/267947-cms-backend-test-for-vulnerabilities-and-security-problems/page/2/#findComment-1379485 Share on other sites More sharing options...
Recommended Posts