[New] File Hosting Site

[kristopherWindsor]

http://freefile.hyperphp.com/

 

This site allows you to upload files up to 2MB after registering and logging in.

 

All files are allowed, but files that do server-side scripting (ie .php) are renamed to *.php.txt so the script will not run.

I did not do this yet for .htm / .html files yet, so the members can create home pages in their subdirectories, but I may eventually rename those to .htm[l].txt, too.

 

For the spamcheck, select the option "FreeBasic is great!" in the drop-down selector.

 

I would like to know if it works well, and if it is secure (probably not).

Thanks.

[Coreye]

I made the name index.php so now when ppl go to http://freefile.hyperphp.com/uploads/ they see my images instead of a directory.

[kristopherWindsor]

Thanks for finding that. I didn't know a folder named "index.*" would do that.

I will adjust the site so periods are not allowed in member / directory names.

Any other problems?

[agentsteal]

Cross Site Scripting:

There is Cross Site Scripting in the uploaded files.

 

Insecure Cookie:

You shouldn't put the password in the cookie.

 

Insecure Cookie:

You shouldn't put the username in the cookie.

 

You can log in as any user by changing the name cookie and the password cookie to their username and password.

[ohdang888]

that background is disgusting.

 

makes me want to leave. right away.

[Flayra]

Whitelisting is usually a lot safer than blacklisting. Start with a few files (jpg, gif, avi, whatever you desire) and expand as you test them. With blacklisting someone might manage to get a perl file or some other script file up and execute it.

 

Never put plain-text passwords anywhere. One-way hash them (sha1 - sha256) and compare upon login. Never put the password, in any form, in a cookie or otherwise user-trusted environment. If you need to remember the user, store his ID along with a randomly generated string that is in the DB and should be (almost) impossible to guess. Refresh this string on every login.

 

As for aestetics, please change those colors

[helraizer]

<iframe name="rotater"

Width="100%"

height="100%"

frameborder="0"

src="http://xlphp.net/aboutus.php"

marginwidth="0"

marginheight="0"

vspace="0"

hspace="0"

allowtransparency="true"

scrolling="auto">

</iframe>

<!-- 399 310 772 188 121 747 908 375 658 989 471 891 842 282 539 788 863 399 310 772 188 121 747 908 375 658 989 471 891 842 282 539 788 863 399 310 772 188 121 747 908 375 658 989 471 891 842 282 539 788 863 526 640 917 51 415 140 573 716 965 688 395 829 76 810 801 733 244 95 205 283 488 189 705 173 743 574 947 608 694 973 886 298 223 449 99 309 936 432 209 623 454  ph-->

 

^ I got that when I uploaded a file. Qu'est que c'est?

[kristopherWindsor]

http://freefile.hyperphp.com/

 

I made some changes and reset the site.

Please test again. 

Thanks. 

 

I made the name index.php so now when ppl go to http://freefile.hyperphp.com/uploads/ they see my images instead of a directory.

 

Periods are no longer allowed in the member names (or passwords).

 

Cross Site Scripting:

There is Cross Site Scripting in the uploaded files.

 

Were you referring to JavaScript? JS files (.js, .html, etc.) are now renamed to they become plain text files, and will not run.

Are there still problems with this?

 

Insecure Cookie:

You shouldn't put the password in the cookie.

 

Insecure Cookie:

You shouldn't put the username in the cookie.

 

I am now using a hash to encrypt the password, but I think the member name should be visible.

Your files will be saved into "/uploads/yourmembername" so you cannot hide your member name, anyway.

Or was there some other reason for hiding the member name?

 

You can log in as any user by changing the name cookie and the password cookie to their username and password.

 

Yes, but you would still have to know their password.

 

that background is disgusting.

 

makes me want to leave. right away.

 

As for aestetics, please change those colors Wink

 

I changed the background picture and color, so it should look much better.

The color scheme now only uses two colors (white and blue), so it should not have to be changed since it matches now.

 

Whitelisting is usually a lot safer than blacklisting. Start with a few files (jpg, gif, avi, whatever you desire) and expand as you test them. With blacklisting someone might manage to get a perl file or some other script file up and execute it.

 

I am now using:

$whitelist = array('.zip', '.rar', '.7z', '.jpg', '.gif', '.png', '.txt', '.exe', '.doc', '.xls');

 

Never put plain-text passwords anywhere. One-way hash them (sha1 - sha256) and compare upon login. Never put the password, in any form, in a cookie or otherwise user-trusted environment. If you need to remember the user, store his ID along with a randomly generated string that is in the DB and should be (almost) impossible to guess. Refresh this string on every login.

 

The passwords are hashed this way now (in both the cookies and the database).

The member names are listed elsewhere, so they cannot be hidden.

(Suppose someone wants to see your member name, and they are physically near your computer. They do not have to look at the cookies to see your member name because it is shown at my site's home page. ("Welcome, member name!"))

 

^ I got that when I uploaded a file. Qu'est que c'est?

 

I'm not exactly sure what you mean; but HTML pages are now processed as plain text files, so you can longer use iframes to show content from other sites.

[helraizer]

 

 

^ I got that when I uploaded a file. Qu'est que c'est?

 

I'm not exactly sure what you mean; but HTML pages are now processed as plain text files, so you can longer use iframes to show content from other sites.

 

Qu'est que c'est means 'what is it?'

 

I uploaded just a test.pl file, i think and called it something like 'not quite the index page' and when I viewed the file, it said

<iframe name="rotater"

Width="100%"

height="100%"

frameborder="0"

src="http://xlphp.net/aboutus.php"

marginwidth="0"

marginheight="0"

vspace="0"

hspace="0"

allowtransparency="true"

scrolling="auto">

</iframe>

<!-- 399 310 772 188 121 747 908 375 658 989 471 891 842 282 539 788 863 399 310 772 188 121 747 908 375 658 989 471 891 842 282 539 788 863 399 310 772 188 121 747 908 375 658 989 471 891 842 282 539 788 863 526 640 917 51 415 140 573 716 965 688 395 829 76 810 801 733 244 95 205 283 488 189 705 173 743 574 947 608 694 973 886 298 223 449 99 309 936 432 209 623 454  ph-->

 

Sam

[kristopherWindsor]

 

 

^ I got that when I uploaded a file. Qu'est que c'est?

 

I'm not exactly sure what you mean; but HTML pages are now processed as plain text files, so you can longer use iframes to show content from other sites.

 

Qu'est que c'est means 'what is it?'

 

I uploaded just a test.pl file, i think and called it something like 'not quite the index page' and when I viewed the file, it said

<iframe name="rotater"

Width="100%"

height="100%"

frameborder="0"

src="http://xlphp.net/aboutus.php"

marginwidth="0"

marginheight="0"

vspace="0"

hspace="0"

allowtransparency="true"

scrolling="auto">

</iframe>

<!-- 399 310 772 188 121 747 908 375 658 989 471 891 842 282 539 788 863 399 310 772 188 121 747 908 375 658 989 471 891 842 282 539 788 863 399 310 772 188 121 747 908 375 658 989 471 891 842 282 539 788 863 526 640 917 51 415 140 573 716 965 688 395 829 76 810 801 733 244 95 205 283 488 189 705 173 743 574 947 608 694 973 886 298 223 449 99 309 936 432 209 623 454  ph-->

 

Sam

 

Sorry, I can only conclude that you uploaded this content yourself? Can you try the upload again, and post here what should be the contents of the file?

Thanks.

[helraizer]

Now it's just weird.

 

#!/usr/bin/perl

print "What's this? Index.pl?\n";

 

Just a basic Perl script from my PC, and now when I go onto it. It directs me to Google.co.uk. =\ Why?

 

http://freefile.hyperphp.com/uploads/helraizer/not_quite_the_index_file.txt

 

About that code before, that's wasn't in the file I uploaded it only appeared after I uploaded it and viewed it.

 

Sam

 

[kristopherWindsor]

Now it's just weird.

 

Definitely.

I downloaded the file through FTP, and it is just a small Perl file.

I uploaded it to another web site, and tried to view it in the browser, and it is delivered as a plain text file, as expected.

 

My free web host must detect a keyword in that file or something that causes it to redirect.

Maybe .TXT files are parsed by Perl? I hope not!!

 

Hopefully I'll get a paid host soon, then that won't be a problem.

[dsaba]

I read you little message "only members can upload" Yet, I still saw your upload form.

 

I tried uploading a file to wait a couple minutes while something loads.. only to receive a alert saying i'm not logged in after my long wait.

 

This is annoying, if uploads aren't allowed for non-users don't' tempt them with the form unless they're logged in.

 

--------------------------------------------------------------------

I tried uploading a file with non ASCII characters in it, it creates very ugly & long filenames:

1497___1501____1506___1493___1513___1497___1501____1488___1504___1513___1497___1501____1511___1513___1497___1501____1512___1493___1510___1492____1500___1492___1512___1490___1497___1513_.jpg

 

Learn how to save & display in UTF-8 encoding everywhere. You may fool yourself into thinking that only english content is allowed and therefore ascii is all you need, but non-ascii characters are can most def. be used in "english" content as well.

[kristopherWindsor]

I read you little message "only members can upload" Yet, I still saw your upload form.

 

I tried uploading a file to wait a couple minutes while something loads.. only to receive a alert saying i'm not logged in after my long wait.

 

This is annoying, if uploads aren't allowed for non-users don't' tempt them with the form unless they're logged in.

 

 

I applied this suggestion, and also fixed a logout bug that I found fixing this.

 

--------------------------------------------------------------------

I tried uploading a file with non ASCII characters in it, it creates very ugly & long filenames:

1497___1501____1506___1493___1513___1497___1501____1488___1504___1513___1497___1501____1511___1513___1497___1501____1512___1493___1510___1492____1500___1492___1512___1490___1497___1513_.jpg

 

Learn how to save & display in UTF-8 encoding everywhere. You may fool yourself into thinking that only english content is allowed and therefore ascii is all you need, but non-ascii characters are can most def. be used in "english" content as well.

 

I am not sure how to fix this. If each character in the filename is being converted to a 4 digit number, this is automatic in PHP. I just use $filename = $_POST['filename']; and then replace odd characters with underscores. My code did not convert special characters to 4 digit codes. If there is an easy way to fix this then I will do it.

[stelthius]

i have just registerd with the username l and password l,That got me curious so i also registerd an account using / as username and / as password you may want to address this maybe you should make it 4 charactors minimum ?? i know i dont allow any of my login or register forms to be less than 5 charactors, and also stop the use of none alphanumeric charactors

 

 

Stelth