website security

[MemphiS]

i have people uploading php files and I haveaJS check and php  script check for file ext with php.

 

I cant replicate this so i dont know how to fix this problem.

 

 

Your seriously not listening to a word people are saying.. Your JS check wont stop anything. You need to understand the difference between server side and not server side.. I cant think of the correct wording at the moment. Within your upload script you need to check what pathway they are downloading like source has said a few times now.

 

This would check eg: /uploads

 

If anyone specifys any other directory eg: /home

 

It will not download.

 

As for upload you need to check that all uploads go to the directory /uploads and no where else.

 

You have alot to read up on... Probally worth clicking on the PHP Help and making a topic about securing you directory for uploads and downloads.

[jagguy]

Ok I don't believe people are listening. My JS is just 1st line of defence that i turn off and test with php script. So lets forget about JS.

 

Now the dir isn't specifiied by the user or passed as it is hard coded in the server script so that is safe.

 

http://jagguy.ej.am/school/test/download.php

this file is not passing anything but file name and i checked this.  It goes to download2.php and this has the correct filename. For some reason the file to download is not the one inthe program but another download2.php. I echo the file to download and it is the correct 1 but somehow it gets redirected?

 

The other errors have appeared and i can fix them but it is the download problem i have no idea with. The other errors have been fixed but i havent uploaded them.

 

What is making the path change midway in a program after variables have been checked including the path.

 

 

$file_path =  $myvar."/files/" . $file;

echo $myvar."/files/" . $file;//this is correct but the program to download switches??????????????????????????????

    $file_extension = strtolower(substr(strrchr($file,"."),1));

    if ((isset($file))&&(file_exists('files/'.$file)))

      {

 

echo $file_extension;//this is correct as well

        switch( $file_extension )

          {

          case "pdf": $ctype="application/pdf"; break;

          case "exe": $ctype="application/octet-stream"; break;

          case "zip": $ctype="application/zip"; break;

          case "doc": $ctype="application/msword"; break;

          case "xls": $ctype="application/vnd.ms-excel"; break;

          case "ppt": $ctype="application/vnd.ms-powerpoint"; break;

          case "gif": $ctype="image/gif"; break;

          case "png": $ctype="image/png"; break;

          case "jpg": $ctype="image/jpg"; break;

          default: $ctype="application/force-download";

          }

         

            header("Content-type: application/force-download");

        //  header('Content-Disposition: inline; filename="' .$file_path . '"');

          header("Content-Transfer-Encoding: Binary");

        //  header("Content-length: ".filesize($file_path));

            header("Content-length: ".filesize($file_path));

 

          header("Content-Type: $ctype");

        //  header('Content-Disposition: attachment; filename="' . $file_path . '"');

            header('Content-Disposition: attachment; filename="' . $file . '"');

 

          // readfile("$file_path");

            readfile("$file_path");

 

[jagguy]

I can't see how i can fix up this program swithcing half waythrough to another user. I have done the checks on the variables.

[jagguy]

Ok I have fixed all problems given here. Maybe there are other problems but it is very very secure compared to before.

 

NOw I can't specifiy this in a my download file because the program includes this header no matter what. My download program works but I can download files if not logged in. Just including this check fails to make it work.

 

The problem occurs when i use a download manager . The download manager wont get the required file but login.php

Also since headers are sent to download the file , it will not redirect afterwards to another file so I don't need to keep this dir secure anyway.

 

 

if (!isset($_SESSION['uid']))

  {

    header( "Location: ". $myvar."/login.php" );

    exit;

}

[Killmenow]

I have not yet gone to far past the login steps, but yet I see something glaring at me.

 

Just a suggestion, you are sending the password as unencrypted text.  You may want to at the very least hash the password with md5 or Sha-1 before it leaves the client.  A better step would be to salt it with a another hash of a randomized Number or word sent from the server each time the login page is loaded and hash that and then combine and rehash both together make a nicely hashed password.

 

In the past I have used a mixture of a Randomized number/letter combination and stored it in a Session Variable, it changed with every attempt to log in.

 

 

If your users do not use javascript......well that is something you will have to decide to support or not.

 

 

 

Also, make yourself a bit resistant to brute force logins.  Lockout the user if they attempt 3 invalid logins, even if it is just for 15 minutes.

 

That way if anyone is packet sniffing, they would see a different value each time a login request is sent in.  SSL is nice to have, but don't rely solely on it if you are using it. 

 

Also,

 

Path disclosure...

Notice: Undefined index: file in /home/jagguy/public_html/school/test/files/download2.php on line 10

Error No file selected

 

 

You cannot make your site invulnerable but some simple steps can make it more difficult to breach than the next guy's site.

[Crew-Portal]

Its not all that safe considering you gave us a username and password! lol

 

I think it looks pretty safe but then again I dont know how to do SQL injection so I wouldnt know!

[polos]

steviez you are the owner of www.myportabledisk.com ??