Help Required Immediately - URGENT

Security and PHP
#1

I’m having problems with people upload shell hacking scripts on my replay uploader, they are hacking my website each and every time.

Here is my script
http://pastebin.com/JfhBFugN

Currently my website is down until I resolve this issue.

My webhost said : "Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.w3g. "

I don’t know how, please fix my script only to allow the upload of “.w3g” with no way for someone to bypassing it.

Thank you alot !

#2

Just post the code on this site and I will take a look at it. I am not going to create a pastebin account to troubleshoot your code.

#3

[code]<?php

/******************************************************************************

Last revision:

******************************************************************************/

?>

Ranked Gaming Parser Logo 
      <td style="height:40px">

	      <a class="menuButtons" href="index.php">Upload Replay</a>

			&nbsp;

          <a class="menuButtons" href="replaydb.php">Replay Database</a>  

                            &nbsp;

          <a class="menuButtons" href="http://www.mymgn.com/board/forumdisplay.php?f=709">RGC Forums</a>

 

          <a class="menuButtons" href="http://shop.rankedgaming.com/shop/">RGC Shop</a>

 

          <a class="menuButtons" href="http://stats.rankedgaming.com/stats/channel.php?c=19">RGC Stats</a> 

      </td>

  </tr>

DotA Replay Parser - Upload Replay

<?php $print_info = false; define("MAX_UPLOAD_SIZE", 3000000); // Upload a file if(isset($_POST['uploadReplay'])) { if(!isset($_FILES['replay_file']) || !isset($_POST['replay_title']) || !isset($_POST['replay_winner']) || !isset($_POST['replay_text'])) { echo 'Error: Make sure you\'ve filled out all the fields.'; } else { $title = htmlspecialchars(trim($_POST['replay_title'])); $winner = htmlspecialchars(trim($_POST['replay_winner'])); $text = htmlspecialchars(trim($_POST['replay_text'])); // Check that we have a file $replayUploaded = false; $replayFile = ""; if(( !empty($title) && !empty($winner) && !empty($_FILES["replay_file"])) && ($_FILES['replay_file']['error'] == 0)) { //Check if the file is JPEG image and it's size is less than 350Kb $filename = basename($_FILES['replay_file']['name']); $ext = substr($filename, strrpos($filename, '.') + 1); $uniqueID = time(); if (($ext == "w3g") && $_FILES["replay_file"]["size"] < MAX_UPLOAD_SIZE) { //Determine the path to which we want to save this file $newname = dirname(__FILE__).'/replays/'.$uniqueID.'.'.$ext; //Check if the file with the same name is already exists on the server if (!file_exists($newname)) { //Attempt to move the uploaded file to it's new place if ((move_uploaded_file($_FILES['replay_file']['tmp_name'], $newname))) { $replayFile = $uniqueID.'.'.$ext; $replayUploaded = true; } else { print_message("Error: A problem occurred during file upload!"); } } else { print_message("Error: File ".$_FILES["replay_file"]["name"]." already exists"); } } else { print_message("Error: Only .w3g replays under 3 MB are accepted for upload"); } } else { print_message("Error: Make sure you've filled out all the fields"); } // If the replay was uploadead successfully, process it if( $replayUploaded ) { @require("reshine.php"); require('replay_saver.php'); $replay = new replay('replays/'.$replayFile); $replay->extra['title'] = $title; /* Determine the winner * If the uploader chose "Automatic" then check if the parser was able to determine a winner, * otherwise the winner is set to "Unknown" * Alternatively the uploader can set the winner manually */ if("Automatic" != $winner) { $replay->extra['winner'] = ( $winner == "Sentinel" ? "Sentinel" : "Scourge" ); } else if(isset($replay->extra['parsed_winner'])) { $replay->extra['winner'] = $replay->extra['parsed_winner']; } else { $replay->extra['winner'] = "Unknown"; } $replay->extra['text'] = $text; $replay->extra['original_filename'] = $filename; $txt_file = fopen('replays/'.$replayFile.'.txt', 'a'); flock($txt_file, 2); fputs($txt_file, serialize($replay)); flock($txt_file, 3); fclose($txt_file); if ( $replay->extra['parsed'] == false ) { // Replay not parsed } else { // Replay saved, display the link. //Create replay saver object $replaysaver=new replaysaver($title,$text,$replayFile); //Call save methode $replaysaver->saveData(); print_message('Replay uploaded successfully. View details '); $print_info = true; } } } } function print_message($msg) { echo '
'; echo $msg; echo '
'; } ?> 
<div class="content" style="width: 99%;">



    <form enctype="multipart/form-data" action="index.php" method="post">

    <fieldset>

      <label for="replay_title" >Title*: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</label><input name="replay_title" id="replay_title" type="input" />

      <br />

      <label for="replay_winner" >Winner: &nbsp;&nbsp;&nbsp;&nbsp;</label>

        <select name="replay_winner" id="replay_winner"  />

            <option value="Automatic">Automatic </option>

            <option value="Sentinel">Sentinel </option>

            <option value="Scourge">Scourge </option>

        </select>

      <br />

      <label for="replay_text" style="vertical-align: top;" >Description: </label>

      <textarea name="replay_text" id="replay_text" cols="65"></textarea>

      <br />

      <input type="hidden" name="MAX_FILE_SIZE" id="'.MAX_UPLOAD_SIZE.'" value="3000000" />

      <label for="replay_file" >File*: </label><input name="replay_file" id="replay_file" type="file" />

      <input type="submit" value="Upload" name="uploadReplay" />

    </fieldset>

  </form>


DotA 6.75 is now fully supported !



There are currently

<? $directory = "/home/rgc123/public_html/replays/"; if (glob($directory . "*.w3g") != false) { $filecount = count(glob($directory . "*.w3g")); echo $filecount; } else { echo 0; } ?>

DotA replays in our database and counting!





</div>

© 2012 Made by BitchGotRaped


[/code]
#4

Check the extension using $_FILE[‘replay_file’][‘type’] not the name variable this should eliminate your issues.

#5

The “type” does not exist in the script, help me out please.

#6

http://www.php.net/manual/en/features.file-upload.post-method.php

$_FILES[‘userfile’][‘type’]
The mime type of the file, if the browser provided this information. An example would be “image/gif”. This mime type is however not checked on the PHP side and therefore don’t take its value for granted.

#7

How can I add that to my script ?
I want to just let the uploader upload “.w3g” files so type should be

file/w3g ?

#8

try

application/w3g

#9

I’m not knowing how to add that to my script … ??? :-\

#10

This line [php]if (($ext == “w3g”) && $_FILES[“replay_file”][“size”] < MAX_UPLOAD_SIZE) {
[/php]

should look something like this

[php]if (($_FILES[‘replay_file’][‘type’]) == “application/w3g”) && ($_FILES[“replay_file”][“size”] < MAX_UPLOAD_SIZE)) {
[/php]

#11

arse error: syntax error, unexpected T_BOOLEAN_AND in /home/rgc123/public_html/index.php on line 94

#12

what is on line 94?

#13

This one

if (($_FILES[‘replay_file’][‘type’]) == “application/w3g”) && ($_FILES[“replay_file”][“size”] < MAX_UPLOAD_SIZE)) {

it did not work, caused the error I showed you, listen do you by any chance have skype in which we can chat faster.

#14

You have an error on that line. Remove the bracket after $_FILES[‘replay_file’][‘type’]

if (($_FILES[‘replay_file’][‘type’] == “application/w3g”) && ($_FILES[“replay_file”][“size”] < MAX_UPLOAD_SIZE))

#15

Here it is corrected.
[php]if (($_FILES[‘replay_file’][‘type’] == “application/w3g”) && ($_FILES[“replay_file”][“size”] < MAX_UPLOAD_SIZE)) {
[/php]

#16

I got the following error:

Error: Only .w3g replays under 3 MB are accepted for upload

#17

Good! That is your error message!

#18

What I mean is that is what is supposed to say when you upload a file larger than 3MB. Which apparently you did or there is something wrong with your if if if if if if then statement

#19

nope I’m uploading .w3g file and it gave me that error -,-

#20

If the FILE is larger than 3 MB in size you will get that error! Your script checks file sizes and type remember!

Sponsor our Newsletter | Privacy Policy | Terms of Service