I have a website that involves users uploading pictures.
I have stopped users from uploading files that dont match .gif .jpg .jpeg .bmp etc. But someone has just been able to upload a PHP file.
I noticed the image wasnt displaying on their profile page, so I copied the image URL, and all my server information was displayed.
I have attached the file, because its to long to fit in this post.
Please can someone have a look and tell me exactly how they was able to access my server.
"code"=>array("php","phtml","php3","php4","inc","tcl","h","c","cpp","py","cgi","pl"),
Line 145
I'm not sure if that's the allowed filetypes array, there's so much code I didn't have the time to look through it all
weeee... fantastix... :-P it's a remote shell. The pseudo-hacker access to this file that works like a dos shell executing on your site.
But it's just a lamer, for me... He get a copy of this script from .ru site and put on your site. But He don't setup it... so is never accessed... what silly pseudo-man... -.-
But you now change your protection... pay more attention... bye bye!
O_O wooow... it's setted up! I'm sorry for you, but all this works so fine!!!
This program bruteforce too the ftp pass and other... I hint you to change every password on this machine!!!
good luck!
Can you paste the code you are using to check for allowed file types?
forums wrote:I have stopped users from uploading files that dont match .gif .jpg .jpeg .bmp etc. But someone has just been able to upload a PHP file.
Are you sure you've stopped users from uploading files other than gif, jpg etc? It's really not hard to validate and ensure that only those files are uploaded.
That file you attached contains a huge amout of code. I'll be suprised if someone will debug the 50 0000 lines of code for you.
If you have the GD library installed, use the getimagesize() function to determine the file type. It actually inspects the file data to determine the type, as opposed to just looking at the file name suffix (which obviously can be changed to whatever someone wants to change it to).
$info = getimagesize($file); if(!$info[2]) { // not a known image type! } else { // appears to be a valid image file }
I read that checking MIME type is not reliable. Being paranoid, I check image type with getimagesize like that person said^ and also change the file format to a png before I store the image on my site. Of course this would stop people storing animated gifs.. I hear that imagemagick has functions to help with that.
