Hacker Help

[John84]

Not sure if this is the correct place to post this. Or even if this is allowed to be posted. If not, please delete this thread.

I found this upload script that is exactly what I was looking for. However, I found that it keeps getting hacked shortly after I put it up. Can someone please tell me what makes this script so easily hacked? Where are the security holes and how can it be fixed? Would a mandatory login function help? I know there are plenty other scripts out there but I really like this one.


Upload Script

 

[-NC-]

looks to me like you are allowing upload of .php files.

you should probably restrict upload of all executable files e.g. .php,.asp
i'm not familiar with this particular script, but they usually have a config file which sets file extensions to block.

edit:
having looked at this script, it appears to have no built in way to restrict the file types. ideally for security, i would recommend the script is modified to:

- upload files to a directory out of the webroot
- download files via a php file which pushes the file to the user's browser (no direct access to the file)
- block any file extensions you specify

None of these things are particularly complicated, maybe the script creator would do them if asked nicely?

 

[cef]

In addition to checking the extension as -NC- says, I also run the uploaded files through the "file" command, which takes further steps to verify the file type beyond merely looking at the extension:

file -b <filename>

This prints out something like "PHP script text" for a php script, even if it has an image extension (like .gif or .jpg). For a gif image, the command might print out something like "GIF image data, version 89a, 10 x 81", regardless of the file extension.

 

[Eric]

In addition to checking the extension as -NC- says, I also run the uploaded files through the "file" command, which takes further steps to verify the file type beyond merely looking at the extension:

file -b <filename>

This prints out something like "PHP script text" for a php script, even if it has an image extension (like .gif or .jpg). For a gif image, the command might print out something like "GIF image data, version 89a, 10 x 81", regardless of the file extension.

Doesn't *always* work, I was able to fool it.

But yes, it'd be a good idea to have the script restrict file types/extensions.

 

[cef]

True, and you can put a payload in gif file headers as well. But the combination of extension + type check is effective 99% of the time.

And as mentioned, it's only part of a complete solution.