Sub Menu
Links Menu
Online Users

In total there are 304 users online :: 4 registered, 0 hidden and 300 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot], Helter, Majestic-12 [Bot] based on users active over the past 60 minutes

File upload problem.

This forum is purely to discuss issues with the released public betas of IntegraMOD to discuss

Moderator: Integra Moderator

File upload problem.

PostAuthor: IceWind » Wed Dec 31, 2008 6:31 am

Hi,

I'm running Im 1.4.1 and using ctracker.
And someone was able by using the downloads section to upload a .php file and execute it.
I noticed in that section settings that it should block the .php, php3 and so one... but still it keeps accepting and uploading them.
Is there a fix for this?

Thanks.

IceWind
Newbie
Newbie
 
Posts: 12
Likes: 0 post
Liked in: 0 post
Joined: Fri Aug 11, 2006 1:16 pm
Cash on hand: 0.00
Location: Ireland

Re: File upload problem.

PostAuthor: MWE_001 » Wed Dec 31, 2008 6:55 am

there is a quick fix I can give you for now until I can find the real fix for the hta file.

Let me take a wild guess and say that the file is being uploaded to pafile_db/images/screenshots

You can, for now, chmod that screenshots file to 644. What this will do is not allow anyone to upload to that file at all. If you are not worried about having screenshots of what ever it is you are offering for a download then problem solved.

Let me go search for that other thread real fast on the hta file fix. I'll brb
"Don't gain the world and lose your soul, wisdom is better than silver and gold" -Bob Marley

If you build it, I can break it! ~ Whispered in the tone of the movie Field of Dreams.
User avatar
MWE_001
Sr Integra Member
Sr Integra Member
 
Posts: 1265
Likes: 0 post
Liked in: 0 post
Images: 12
Joined: Fri Apr 21, 2006 6:59 pm
Cash on hand: 0.00
Location: Illinois

Re: File upload problem.

PostAuthor: MWE_001 » Wed Dec 31, 2008 6:59 am

Here you go. Hope this helps. very valuable info inside this post.

http://integramod.com/forum/viewtopic.p ... hta#p29088
"Don't gain the world and lose your soul, wisdom is better than silver and gold" -Bob Marley

If you build it, I can break it! ~ Whispered in the tone of the movie Field of Dreams.
User avatar
MWE_001
Sr Integra Member
Sr Integra Member
 
Posts: 1265
Likes: 0 post
Liked in: 0 post
Images: 12
Joined: Fri Apr 21, 2006 6:59 pm
Cash on hand: 0.00
Location: Illinois

Re: File upload problem.

PostAuthor: IceWind » Wed Dec 31, 2008 7:17 am

A wild guess you say! <img>

Thanks for the help, i was searching for this but i got nothing specific.
I was about to go check the upload code to see if i could fit a file content check.

Thanks I'm going to check the information provided.

IceWind
Newbie
Newbie
 
Posts: 12
Likes: 0 post
Liked in: 0 post
Joined: Fri Aug 11, 2006 1:16 pm
Cash on hand: 0.00
Location: Ireland

Re: File upload problem.

PostAuthor: MWE_001 » Wed Dec 31, 2008 8:02 am

Now for the real funny part. After reading this, i decided to check some websites on my server and I found one that had hack scripts uploaded to the very same exact spot. I just finished dropping hta files in place for all on my server. Im actually glad This thread was posted today.

Well, I'm not glad for anyone that this happens, it was just a reminder to us all <img>
"Don't gain the world and lose your soul, wisdom is better than silver and gold" -Bob Marley

If you build it, I can break it! ~ Whispered in the tone of the movie Field of Dreams.
User avatar
MWE_001
Sr Integra Member
Sr Integra Member
 
Posts: 1265
Likes: 0 post
Liked in: 0 post
Images: 12
Joined: Fri Apr 21, 2006 6:59 pm
Cash on hand: 0.00
Location: Illinois

Re: File upload problem.

PostAuthor: IceWind » Wed Dec 31, 2008 11:15 am

Indeed! I need to check all the folders now.

Just for fun i changed the .php script that was uploaded for another that logs the ip's and the access times! And the b****** already went there twice. :(

IceWind
Newbie
Newbie
 
Posts: 12
Likes: 0 post
Liked in: 0 post
Joined: Fri Aug 11, 2006 1:16 pm
Cash on hand: 0.00
Location: Ireland

Re: File upload problem.

PostAuthor: IceWind » Fri Jan 02, 2009 8:03 am

I was trying to follow the code used to upload the files but it's not easy to get at first try.

Cand someone give me a tip on where can i find the part where it uploads the file? I was planning to ad a mim-type check there and only let pass image types.
It's now 100% secure but it's a start...

Thanks.

IceWind
Newbie
Newbie
 
Posts: 12
Likes: 0 post
Liked in: 0 post
Joined: Fri Aug 11, 2006 1:16 pm
Cash on hand: 0.00
Location: Ireland

Re: File upload problem.

PostAuthor: MWE_001 » Fri Jan 02, 2009 1:15 pm

Would it not be a bit easier to just make it so users can not upload any files to your dload database? I know this was not an answer to your question and I do apologise for that. It was just a simply query on my part.

I have turned off user uploads on my site and cmod the screenshots folder to 755 due to the fact that really, no one on my site will upload any files anyway, nor do they have a reason to. That stopped the problem instantly on my site.
"Don't gain the world and lose your soul, wisdom is better than silver and gold" -Bob Marley

If you build it, I can break it! ~ Whispered in the tone of the movie Field of Dreams.
User avatar
MWE_001
Sr Integra Member
Sr Integra Member
 
Posts: 1265
Likes: 0 post
Liked in: 0 post
Images: 12
Joined: Fri Apr 21, 2006 6:59 pm
Cash on hand: 0.00
Location: Illinois

Re: File upload problem.

PostAuthor: IceWind » Sat Jan 03, 2009 4:56 am

No worries i got the point.
Thing is disabling uploads would create a big impact on the forum. Due to it's nature the album section is one of the most used. Also the downloads area not so much but quite helpfull, specially the screenshots as most of the uploaded downloads are plans in CAD files and a image screenshot is the best to prevent you from downloading stuff that in the end it's not helpfull.

For now i follow the links provided and disable the script execution in all the upload target folders, and i think that will help alot. But this still not prevents the script file from be uploaded and that concerns me a bit.
I was trying to secure the process a bit more in the end if I'm not satisfied I will eventually disable the upload area for example like you say.

IceWind
Newbie
Newbie
 
Posts: 12
Likes: 0 post
Liked in: 0 post
Joined: Fri Aug 11, 2006 1:16 pm
Cash on hand: 0.00
Location: Ireland

Re: File upload problem.

PostAuthor: Helter » Sat Jan 03, 2009 11:13 am

"IceWind" wrote:I was trying to follow the code used to upload the files but it's not easy to get at first try.

Cand someone give me a tip on where can i find the part where it uploads the file? I was planning to ad a mim-type check there and only let pass image types.
It's now 100% secure but it's a start...

Thanks.

the problem with this is that most php files are uploaded as gif images then changed to php.
You can put this in your htaccess files in
album_mod/upload/
pafiledb/uploads/
pafiledb/images/screenshots/

Code: Select all
# no reasion any code should be able to run in this folder!AddHandler cgi-script .php .js .pl .py .jsp .asp .htm .shtml .sh .cgiOptions -ExecCGI


this wont stop users from uploading gifs and changing them to php, but it will make the file not executable.
Always use Protection
Image


Please do not PM for support
User avatar
Helter
Administrator
Administrator
 
Posts: 4167
Likes: 0 post
Liked in: 0 post
Images: 0
Joined: Sat Mar 11, 2006 3:46 pm
Cash on hand: 172.60
Location: Seattle Wa
IntegraMOD version: IM 3

Re: File upload problem.

PostAuthor: MWE_001 » Sun Jan 04, 2009 12:21 pm

"IceWind" wrote:No worries i got the point.
Thing is disabling uploads would create a big impact on the forum. Due to it's nature the album section is one of the most used. Also the downloads area not so much but quite helpfull, specially the screenshots as most of the uploaded downloads are plans in CAD files and a image screenshot is the best to prevent you from downloading stuff that in the end it's not helpfull.

For now i follow the links provided and disable the script execution in all the upload target folders, and i think that will help alot. But this still not prevents the script file from be uploaded and that concerns me a bit.
I was trying to secure the process a bit more in the end if I'm not satisfied I will eventually disable the upload area for example like you say.


Ah ok, I see your point. Yeah do as Helterskelter has suggested and all should be good to go.
"Don't gain the world and lose your soul, wisdom is better than silver and gold" -Bob Marley

If you build it, I can break it! ~ Whispered in the tone of the movie Field of Dreams.
User avatar
MWE_001
Sr Integra Member
Sr Integra Member
 
Posts: 1265
Likes: 0 post
Liked in: 0 post
Images: 12
Joined: Fri Apr 21, 2006 6:59 pm
Cash on hand: 0.00
Location: Illinois


Return to IntegraMOD Public Beta

Who is online

Registered users: Bing [Bot], Google [Bot], Helter, Majestic-12 [Bot]