#1
ok i need someone who is smart at PHP.

i wanna set up a page where ppl can upload files can someone help me with the script.

i'v been trying with a Tutorial but it's not working and is giving me the ****s..

thanx
Quote by musical donkey
cyclobs you are demented..... in a good way
#3
so whats wrong with this script?

<?php
if (($_FILES["file"]["type"] == "aplications/zip"))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}
else
{
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

if (file_exists("upload/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $_FILES["file"]["name"]);
echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
}
}
}
else
{
echo "Invalid file";
}
?>
Quote by musical donkey
cyclobs you are demented..... in a good way
#4
Well, for starters, the mime type for zip files is "application/x-zip"

Also, file uploads depend a lot on the web server. It needs the appropriate permissions to write to the temporary directory, any limits it has on POST data size your file can't exceed or it will drop the requests and it also needs write permission to the directory you're trying to save the uploaded file to.

It would also help if you printed any error messages that you're getting. However, since your first line will fail when it checks the mime type you can start there.
#5
As garett said, you need lots of permissions etc.

If your FTP client has CHMOD then you need to basically set a folder with permissions like this for example:

666, 700 or 744 (probably the safest for what you might want to do).

666 means that everyone can read and write
700 means only the owner can read and write
744 means that the owner can read, execute and write but everyone else can only read

or if you wanna live life on the edge, go 777:
everyone can read write and execute...this is cgi-bin territory. dangerous.
#6
For starters, please use code tags and proper indentation, otherwise we are all going to get brain cramps

<?php
	if (($_FILES["file"]["type"] == "application/x-zip")) {
		
		if ($_FILES["file"]["error"] > 0) {
			echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
		}
	
		else {
			echo "Upload: " . $_FILES["file"]["name"] . "<br />";
			echo "Type: " . $_FILES["file"]["type"] . "<br />";
			echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
			echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

			if (file_exists("upload/" . $_FILES["file"]["name"])) {
				echo $_FILES["file"]["name"] . " already exists. ";
			}
			else {
				move_uploaded_file($_FILES["file"]["tmp_name"],
				"upload/" . $_FILES["file"]["name"]);
				echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
			}
		}
	}
	
	else {
		echo "Invalid file";
	}
?>


You should follow the example at http://www.w3schools.com/php/php_file_upload.asp where this code comes from Obviously change the filetypes, but if you do that then their example works (I tested it).

The filename doesn't magically appear, you need to have it passed via a parameter to your PHP script somehow, the .html form they have at the start of the example does a good job of that (although you could do it via the URL).

And using this code can be very dangerous, I would advise against it unless you know for sure you have it all set up correctly.
Last edited by LordSephiroth at Jul 12, 2007,
#7
Quote by cyclobs
so whats wrong with this script?

<?php
if (($_FILES["file"]["type"] == "aplications/zip"))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
}
else
{
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

if (file_exists("upload/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $_FILES["file"]["name"]);
echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
}
}
}
else
{
echo "Invalid file";
}
?>


I see very possible xss exploits in here. Filter the code
note* Uploading scripts are very very dangerous, it can possibly cause your server to get hijacked (run black-hats malicious codes).

Edit: LordSephiroth since when aren't you a mod anymore
Last edited by Incardito at Jul 12, 2007,
#8
Quote by Incardito
I see very possible xss exploits in here. Filter the code
note* Uploading scripts are very very dangerous, it can possibly cause your server to get hijacked (run black-hats malicious codes).
XSS = Cross Site Scripting and it's all about injecting malicious code into an otherwise trust worthy html document.

Usually an xss attack is similar to a phishing attack in that it's used to bypass authentication schemes etc. and tricks the user into submitting data to a source that they think is trusted.

Seeing as how that file upload example does really output anything except the file data, let alone connect to multiple hosts to pull html data to send to the browser, there is absolutely no way that the code could possibly be vulnerable to an "xss" attack.

Not only that but your choice of words, "xss exploit" is ridiculous as well. An exploit is a piece of code that, as you might guess, exploits a bug in an application in such a way that it results in escalated service. I gather what you meant to say was something along the lines of "I see some issues with that code that could lead to a potential xss attacks". But since a script that simply processes POST data and doesn't output anything can not possibly be vulnerable to an xss attack...

Hell, there's even more. I can't believe how much I can pick apart 2 simple sentences. Filter the code ? As in validate the user input ? The only user input is the POST data and he does validate it to ensure that it's a zip file which is what he intends to allow users to upload. He could check the data size to set a maximum file upload but since the web server has to finish accepting the POST request before it even gets sent to the PHP script that's pointless. It's much better to set a maximum POST request in php.ini and/or your apache / web server config. So what else is there to validate / "filter" ?

Seph was right in that allowing users to upload data to your web server can be dangerous and there's some considerations. Those considerations are:

o You should not allow uncapped POST data or set max POST data too high because that creates the possibly for denial of service attacks.

o You need to make sure that users can not upload data to sensitive locations (ie: not allow users to overwrite data that's already on the hard drive, particularly security sensitive data such as your password files or public html etc.) And as you pointed out in your edit, they shouldn't be able to upload executable files (specifically to locations that are accessible publicly via HTTP), be them scripts or binaries.

o The final one is that you need to watch out for possible race conditions where two users upload a file with the same name and overwrite each other's data. But that's more of a convenience / usability issue than a security one.
Last edited by garett at Jul 12, 2007,
#9
Quote by Incardito
I see very possible xss exploits in here. Filter the code


I don't see it The only user input being returned to the browser is the filename (and filetype), which will be invalid unless someone has a filename with html in it for some reason I guess if you were going the XSS type route though, you could send them a link and trick them into uploading some files from their local system and trying to read them, but that wouldn't necessarily be a XSS. (edit: which couldn't be done if it was submitted via POST request, XSS in POST is useless)

Edit: LordSephiroth since when aren't you a mod anymore


heh, I resigned a few years ago.
Last edited by LordSephiroth at Jul 12, 2007,
#10
Quote by LordSephiroth
I don't see it The only user input being returned to the browser is the filename (and filetype), which will be invalid unless someone has a filename with html in it for some reason I guess if you were going the XSS type route though, you could send them a link and trick them into uploading some files from their local system and trying to read them, but that wouldn't necessarily be a XSS. (edit: which couldn't be done if it was submitted via POST request)


heh, I resigned a few years ago.

I was speaking hypothetically , I mean if you see some of the stupid generic upload scripts on most "newb" sites, then my comment is very plausible. If you want me to show you a live example I'll do it gladly.

However right now, the right term would be "code injection".

ps. I was once banned by you :P
#11
Quote by Incardito
I was speaking hypothetically , I mean if you see some of the stupid generic upload scripts on most "newb" sites, then my comment is very plausible. If you want me to show you a live example I'll do it gladly.


heh, no, I test custom and COTS web apps for the organization that I work for, I see enough XSS vulnerabilities in apps that cost us several thousand dollars, I don't need to see them in newbie code

Like garrett said, an XSS in a POST parameter is useless, because it isn't passed through the URL, its passed through the body of the request. Not to mention what I said earlier, it would generate an error if he tried to pass an invalid filename.

I just realized that _FILES takes the filename via POST and won't accept it via GET as well, so its fairly worthless.

ps. I was once banned by you :P


heh, oops :x
#12
Quote by Incardito
I was speaking hypothetically , I mean if you see some of the stupid generic upload scripts on most "newb" sites, then my comment is very plausible. If you want me to show you a live example I'll do it gladly.

However right now, the right term would be "code injection".

ps. I was once banned by you :P
That's better.

However, apache won't execute binaries unless the folder has Option +Exec (which in any default config only cgi-bin gets and in any sane default config cgi is disabled) and he does check the mime-type to insure it's a zip file before accepting the upload. So if someone uploaded a javascript or php or perl script or whatever it would not go through.

So a code injection is simply not possible although if it were my code I would have it upload somewhere that the web serer user can't read but can write to. But I'm paranoid.
#13
Quote by garett


o The final one is that you need to watch out for possible race conditions where two users upload a file with the same name and overwrite each other's data. But that's more of a convenience / usability issue than a security one.



yes i wanna set up something about that too.. but this is the first time i'v ever needed to use php scripting.. so plz help..lol
Quote by musical donkey
cyclobs you are demented..... in a good way
#14
Quote by garett
Well, for starters, the mime type for zip files is "application/x-zip".


i fixed that up but it's still returning with a invalid file error
Quote by musical donkey
cyclobs you are demented..... in a good way
#15
Quote by cyclobs
i fixed that up but it's still returning with a invalid file error


Read my post, you have to have the filename passed via a POST parameter.
#16
Never written an upload script, but basically, as i'm sure you know, just make sure that the only thing that can be accepted is a zip file...

so maybe just have a statement that checks the file ends with .zip and that it can only be read, not executed, so maybe CHMOD with 755 permissions....(default).
#17
Quote by rkelsey
Never written an upload script, but basically, as i'm sure you know, just make sure that the only thing that can be accepted is a zip file...

so maybe just have a statement that checks the file ends with .zip and that it can only be read, not executed, so maybe CHMOD with 755 permissions....(default).
Stripping exec permissions don't help though if you're uploading a script that can be executed by the web server (like php or perl file etc.). But that's why you check the mime type and file extensions. Apache won't send any arbitrary file through mod_php or mod_perl unless it has a specific file extension (which is configurable).

And, as I pointed out earlier, any sane web server will only execute binaries in a directory configured to do so (ie: cgi-bin) and most newer default web servers will have cgi disabled all together with instructions for enabling it if you really need it.

Plus, any script that uploads any files to cgi-bin was obviously written by a moron. Just like anyone who configures their web server with the equivalent of apache's "Option +Exec" on every directory or who sends all files through mod_php/mod_perl (though I don't know that you can even do that, but I'm not sure since I've never been so brain dead as to try) is a moron.