upload scripts disabled
» > >
» Goto page 1, 2  Next
» View previous topic :: View next topic  
Well, after the third day of having something in my pending folder that had something to do with hacking (They couldn't access it till I executed the prog) I have decided to completely disable the uploading system, until I can come up with something better. I will probably need to come up with a member sign up/in page, to give access to uploading stuff, and at that point, maybe get around to making a decent archive script. Who knows, but right now, the member sign up/in thing to access those pages are a bit of a priority...
Yeah, that's the problem with upload scripts. You might want to disable .exe uploading...
It was only supposed to upload zips, but it isn't restricting it for some reason... dunno, I am just gonna have to learn php and make something else up... Maybe a real archiving system... ^_^
Just make sure the extension is .zip using string manipulations. Not terribly difficult.
Well, I did that within the page set up, and it still accepted it... but it doesn't matter, cause it can't accept anything at present. Wink

Code:
<?php
$url=explode($filename, '.');
if($url[count($url)-1]!='zip') // or rar
{
// file is bad
}
?>

Here's a piece of code you can use.
Visit my site at http://nerdyproductions.sobertillnoon.com

PokéGen on Sourceforge:
http://www.sourceforge.net/projects/pokegen

ticalc profile
Thanks.

I will probably use that, once I figure out how to make a sign in system. Smile That way it logs the ip addresses of those that upload, and if I get something that is h a c k material, then maybe I should turn it over to the authorities? Dunno, just got to try to stop this crap...
h a c k e r watch.org is the place to report stuff. I don't know of how to get the IP though...
Visit my site at http://nerdyproductions.sobertillnoon.com

PokéGen on Sourceforge:
http://www.sourceforge.net/projects/pokegen

ticalc profile
elfprince does, I believe. Smile If nothing else, phpbb forums can do it, I would just need to research that...
Just to let you know, that .zip check is incredibly easy to get around if you're a hacker...just change the extension. Apache will still look at the content-type instead.
Well, it doesn't matter, this way my site will be safe for a while, and I will see about makin that php archiving script...
Why do you just want .zip's anyway? its not like your server executes the file where it would be a problem if it was an executable....
There are only two kinds of programming languages: those people always bitch about and those nobody uses. (Bjarne Stroustrup)
Cool. Is that what got the site hacked the first time?
putting restrictions in the HTML form or even in the MIME type via PHP won't affect uploads how you want because a hacker can spoof it in the HTTP headers or by uploading through their own homemade forms. use string manipulation and make sure you CHMOD files to not be publically executable
<- Please Support on Lego Ideas
Umm, because I would like the readme, screenshots, and programs to be in one spot, so I do not have to hunt and check each one... Wink

I plan on making my own upload script. I will just have to expand the pending folders, to allow for all the options, etc. I will also need to employ a log in system, once I learn that much php anyways...
What you should do is set up some kind of 3rd party virus checker like Yahoo! mail has. On second though, that would be pointless, because you want to watch for malicious php scripts.
tifreak8x wrote:
Umm, because I would like the readme, screenshots, and programs to be in one spot, so I do not have to hunt and check each one... Wink

I plan on making my own upload script. I will just have to expand the pending folders, to allow for all the options, etc. I will also need to employ a log in system, once I learn that much php anyways...


What about other archives? like RAR, GZIP, or BZIP2? (which are all better than zip anyway Razz)
There are only two kinds of programming languages: those people always bitch about and those nobody uses. (Bjarne Stroustrup)
I just put a double md5 of a string onto the end of the file. That way no one is going to find it anyway.
Visit my site at http://nerdyproductions.sobertillnoon.com

PokéGen on Sourceforge:
http://www.sourceforge.net/projects/pokegen

ticalc profile
...or rename programs with a random md5 hash and store that in a database. Also remove the php extension.
KermMartian wrote:
...or rename programs with a random md5 hash and store that in a database. Also remove the php extension.


...or just make it non-executable Rolling Eyes
There are only two kinds of programming languages: those people always bitch about and those nobody uses. (Bjarne Stroustrup)
  
upload scripts disabled
» Goto page 1, 2  Next
» View previous topic :: View next topic  
Page 1 of 2
» All times are UTC - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement