Hacker Help

John84 · 08-21-2007, 02:28 PM

Not sure if this is the correct place to post this. Or even if this is allowed to be posted. If not, please delete this thread.

I found this upload script that is exactly what I was looking for. However, I found that it keeps getting hacked shortly after I put it up. Can someone please tell me what makes this script so easily hacked? Where are the security holes and how can it be fixed? Would a mandatory login function help? I know there are plenty other scripts out there but I really like this one.

Upload Script

-NC- · 08-21-2007, 02:46 PM

looks to me like you are allowing upload of .php files.

you should probably restrict upload of all executable files e.g. .php,.asp
i'm not familiar with this particular script, but they usually have a config file which sets file extensions to block.

edit:
having looked at this script, it appears to have no built in way to restrict the file types. ideally for security, i would recommend the script is modified to:

- upload files to a directory out of the webroot
- download files via a php file which pushes the file to the user's browser (no direct access to the file)
- block any file extensions you specify

????: NamePros.com http://www.namepros.com/programming/364678-hacker-help.html
None of these things are particularly complicated, maybe the script creator would do them if asked nicely?

cef · 08-21-2007, 03:15 PM

In addition to checking the extension as -NC- says, I also run the uploaded files through the "file" command, which takes further steps to verify the file type beyond merely looking at the extension:

file -b <filename>

This prints out something like "PHP script text" for a php script, even if it has an image extension (like .gif or .jpg). For a gif image, the command might print out something like "GIF image data, version 89a, 10 x 81", regardless of the file extension.

Eric · 08-21-2007, 04:10 PM

Originally Posted by cef

In addition to checking the extension as -NC- says, I also run the uploaded files through the "file" command, which takes further steps to verify the file type beyond merely looking at the extension:

file -b <filename>

This prints out something like "PHP script text" for a php script, even if it has an image extension (like .gif or .jpg). For a gif image, the command might print out something like "GIF image data, version 89a, 10 x 81", regardless of the file extension.

Doesn't *always* work, I was able to fool it.
????: NamePros.com http://www.namepros.com/showthread.php?t=364678

But yes, it'd be a good idea to have the script restrict file types/extensions.

cef · 08-21-2007, 04:13 PM

True, and you can put a payload in gif file headers as well. But the combination of extension + type check is effective 99% of the time.

And as mentioned, it's only part of a complete solution.

08-21-2007, 02:28 PM	THREAD STARTER #1 (permalink)
John84 NamePros Regular Join Date: Apr 2006 Posts: 267	Hacker Help Not sure if this is the correct place to post this. Or even if this is allowed to be posted. If not, please delete this thread. I found this upload script that is exactly what I was looking for. However, I found that it keeps getting hacked shortly after I put it up. Can someone please tell me what makes this script so easily hacked? Where are the security holes and how can it be fixed? Would a mandatory login function help? I know there are plenty other scripts out there but I really like this one. Upload Script

08-21-2007, 02:46 PM	#2 (permalink)
-NC- Traveller Join Date: Mar 2007 Location: Yet another city Posts: 1,419	looks to me like you are allowing upload of .php files. you should probably restrict upload of all executable files e.g. .php,.asp i'm not familiar with this particular script, but they usually have a config file which sets file extensions to block. edit: having looked at this script, it appears to have no built in way to restrict the file types. ideally for security, i would recommend the script is modified to: - upload files to a directory out of the webroot - download files via a php file which pushes the file to the user's browser (no direct access to the file) - block any file extensions you specify ????: NamePros.com http://www.namepros.com/programming/364678-hacker-help.html None of these things are particularly complicated, maybe the script creator would do them if asked nicely? __________________ NameCooler.com Last edited by -NC-; 08-21-2007 at 03:12 PM.

08-21-2007, 03:15 PM	#3 (permalink)
cef NamePros Regular Join Date: May 2004 Location: NYC Posts: 236	In addition to checking the extension as -NC- says, I also run the uploaded files through the "file" command, which takes further steps to verify the file type beyond merely looking at the extension: file -b <filename> This prints out something like "PHP script text" for a php script, even if it has an image extension (like .gif or .jpg). For a gif image, the command might print out something like "GIF image data, version 89a, 10 x 81", regardless of the file extension.

08-21-2007, 04:13 PM	#5 (permalink)
cef NamePros Regular Join Date: May 2004 Location: NYC Posts: 236	True, and you can put a payload in gif file headers as well. But the combination of extension + type check is effective 99% of the time. And as mentioned, it's only part of a complete solution.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)