Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Pages: 1 [2]

Author Topic: Simple way to disable Upload Functionality (for Security)  (Read 8454 times)

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Simple way to disable Upload Functionality (for Security)
« Reply #15 on: February 09, 2007, 05:03:53 pm »

Quote from: mike1
another option would be to set the file extensions allowed (ie only .pdf, .doc, .mp3) and disallow (.php, .cgi etc) files to be uploaded, hardcoded of course.  im not sure if this is already in the 1.5.31 core because i havent looked at it, but im reasonably certain it wasnt in 1.5.30.
im just posting an option i havent seen already (ie i personally wouldn't need the option, but its just an idea)
Yes - we have this option in 1.5.31... in the filelist function:
Quote
// FILELIST FUNCTION
function filelist($mode, $path, $depth = 0) {
// Folders or files you DON'T want displayed... by name
   $ignore = array('cgi-bin', '.htaccess', '.', '..', 'Thumbs.db');
// File extensions you DON'T want displayed... by file-type
   $extension = array('.php', 'html');
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

mike1

  • Full Member
  • ***
  • Karma: 6
  • Posts: 199
Simple way to disable Upload Functionality (for Security)
« Reply #16 on: February 09, 2007, 07:56:37 pm »

i dont think thats exactly what i was talking about.  i wasnt referring to the displaying of files or certain directories.  i was referring to the actual uploading of the files, so if you want the uploader to only upload .doc or .pdf, it would only upload files with those 2 extensions, while throwing back an error if you try to upload .php or .cgi etc.

if i read the code correctly, the filelist function is only when you are within the admin panel and you dont want certain folders LISTED, or file extensions listed.  if it actually blocks the UPLOAD of files with certain extensions, please correct me if i am wrong.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Simple way to disable Upload Functionality (for Security)
« Reply #17 on: February 09, 2007, 08:47:27 pm »

Quote from: mike1
i dont think thats exactly what i was talking about... if i read the code correctly, the filelist function is only when you are within the admin panel and you dont want certain folders LISTED, or file extensions listed.  if it actually blocks the UPLOAD of files with certain extensions, please correct me if i am wrong.
Right - this only lets you change what is visible in the admin panel. You want to restrict uploading to specific file-types only. Perhaps a look at this PHP-based File Extension Validator script might be modified to work with sNews. It's part of a complete set of Upload Class functions.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

mike1

  • Full Member
  • ***
  • Karma: 6
  • Posts: 199
Simple way to disable Upload Functionality (for Security)
« Reply #18 on: February 09, 2007, 10:33:02 pm »

thanks key.  i may take a look at it if no one else does to just play around (i wouldnt expect much though cuz im terrible at php unfortunately).  i dont personally need it though......it was just a suggestion. ;)

good day :)

EDIT:

heres an idea i found while looking at other uploaders on the web.

function files() starts with
Code: [Select]
if (isset($_POST['upload']) && isset($_SESSION[db('website').'Logged_In']) && $_POST['ip'] == $_SERVER['REMOTE_ADDR'] && (time() - $_POST['time']) > 4) {which gives the conditions that need to be met for the upload to not kick back an error.  if we add another condition to that like

Code: [Select]
if (isset($_POST['upload']) && isset($_SESSION[db('website').'Logged_In']) && $_POST['ip'] == $_SERVER['REMOTE_ADDR'] && (time() - $_POST['time']) > 4 && !in_array(EXTENSION OF THE FILE YOU'RE UPLOADING, $config['allowed_ext'])) {where

Code: [Select]
$config['allowed_ext'] = array("mp3, doc, pdf, rtf, txt");the in_array function would check whether the extension of the file youre uploading matches the allowed extensions, which are specified in the given array.  then, only if the condition is met, the file will upload.  the only thing i dont get is how to get the extension of the file youre uploading, so someone will have to keep the ball rolling from here if deemed useful :).  i also assume there needs to be an echo from the in_array function.

NOTE: the code is from 1.5.30 (with no token), but the concept is the same for 1.5.31 as well
Logged

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Simple way to disable Upload Functionality (for Security)
« Reply #19 on: February 14, 2007, 05:58:39 pm »

Quote from: keyrocks
P-Empire's point is interesting... that there are URL scanners that can scan your URL and pick up all the pages attached to it.  I question whether this is the case. It would make sense if the login panel was a physical page. However... in sNews... the login page & link to it don't physically exist until it is requested... it is only created "on demand"... and it disappears - physically speaking - once the panel leaves the screen. The links to articles and pages are stored in the dbase's articles table, but the link to the login panel is hard-coded and not in a dbase table. For this reason, I doubt the login panel link can be found in a scan of that sort. By all means... correct me if I am wrong. :)
http://www.google.com.au/search?client=opera&rls=en&q=login+snews&sourceid=opera&num=75&ie=utf-8&oe=utf-8

Results 1 - 75 of about 175,000 for login snews

Obfusicate the login link, and the site will realistically fail on this search unless you happen to have an article that uses the word 'login'.
 google search for just snews results in  1,640,000 for snews
Logged
Of all the things I have lost, it is my mind that I miss the most.

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Simple way to disable Upload Functionality (for Security)
« Reply #20 on: February 14, 2007, 09:16:43 pm »

Quote from: mike1
function files() starts with
Code: [Select]
if (isset($_POST['upload']) && isset($_SESSION[db('website').'Logged_In']) && $_POST['ip'] == $_SERVER['REMOTE_ADDR'] && (time() - $_POST['time']) > 4) {which gives the conditions that need to be met for the upload to not kick back an error.

the only thing i dont get is how to get the extension of the file youre uploading, so someone will have to keep the ball rolling from here if deemed useful :).  i also assume there needs to be an echo from the in_array function.
ok, here is my take on it.
Quote
/*** FILES ***/
function files() {   
   $files_ignored=array('cgi-bin', '.htaccess', '.', '..', 'Thumbs.db');
   $extensions_ignored = array('php', 'exe','psd','msi');

   if (isset($_POST['upload']) && $_SESSION[db('website').'Logged_In'] == token() && $_POST['ip'] == $_SERVER['REMOTE_ADDR'] && (time() - $_POST['time']) > 4) {
      if ($_FILES['imagefile']['type']) {
         $filext = explode('.',$_FILES['imagefile']['name']);$field=count($filext)-1;
         if (in_array($filext[$field], $extensions_ignored) || in_array($_FILES['imagefile']['name'], $files_ignored)){
            echo '

'.l('admin_error').'

'.l('file_error').'

';
         }else{

         $upload_dir = $_POST['upload_dir'].'/';
         copy ($_FILES['imagefile']['tmp_name'], $upload_dir.$_FILES['imagefile']['name']) or die (l('file_error')); echo notification('','','files/');
         $kb_size = round(($_FILES['imagefile']['size'] / 1024), 1);
           echo '

'.$_FILES['imagefile']['name'].' ['.$kb_size.' KB] ['.$_FILES['imagefile']['type'].']

';
       }
   }  // end of code changes.
       else {echo '

'.l('admin_error').'

'.l('file_error').'

';}
This is the top part of the files() function as I've amended it.
It should work ....  :P  USE AT OWN RISK!!!!

$files_ignored -  place any particular complete filenames that you DO NOT want uploaded via snews upload.
$extensions_ignored - place the extensions (not dots) that you want to prevent uploading with snews upload.

Any files blocked will require uploading using an external agent.

Hope this helps...
Phil.
Logged
Of all the things I have lost, it is my mind that I miss the most.

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
Simple way to disable Upload Functionality (for Security)
« Reply #21 on: February 14, 2007, 10:07:03 pm »

Hi, there :D

This fragment will not achieve the goal for files like "destroy.your.site.php":
Code: [Select]
        ...
        if ($_FILES['imagefile']['type']) {
            $filext = explode('.',$_FILES['imagefile']['name']);
            if (in_array($filext[1], $extensions_ignored) || in_array($_FILES['imagefile']['name'], $files_ignored)){
                echo '<h2>'.l('admin_error').'</h2><p>'.l('file_error').'</p>';
            }else{
        ...
You need last element, not second one from array $filext.
« Last Edit: September 24, 2007, 01:01:40 pm by codetwist »
Logged

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Simple way to disable Upload Functionality (for Security)
« Reply #22 on: February 14, 2007, 11:05:09 pm »

damn, caught out again :D
added $field=count($filext)-1; and used it to replace the 1 in $filext[1]

(code above updated  in post http://www.solucija.com/forum/viewtopic.php?pid=23251#p23251 )

How about that then?
Logged
Of all the things I have lost, it is my mind that I miss the most.

mike1

  • Full Member
  • ***
  • Karma: 6
  • Posts: 199
Simple way to disable Upload Functionality (for Security)
« Reply #23 on: February 14, 2007, 11:12:17 pm »

ahhhaahhhh.....a blacklist instead of a whitelist.  i didnt think of that.  nice work philmoz
Logged

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Simple way to disable Upload Functionality (for Security)
« Reply #24 on: February 14, 2007, 11:48:20 pm »

Quote from: mike1
ahhhaahhhh.....a blacklist instead of a whitelist.  i didnt think of that.  nice work philmoz
blacklists tend to be shorter than white ones... not always but usually ;)
Logged
Of all the things I have lost, it is my mind that I miss the most.

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
Simple way to disable Upload Functionality (for Security)
« Reply #25 on: February 15, 2007, 09:26:16 am »

Hi, there :D

Quote from: philmoz
damn, caught out again :D
added $field=count($filext)-1; and used it to replace the 1 in $filext[1]

(code above updated  in post http://www.solucija.com/forum/viewtopic.php?pid=23251#p23251 )

How about that then?
I think phil, You just can shell this one as well into MOD section - it's basically finished and working
 :P
« Last Edit: September 24, 2007, 01:02:23 pm by codetwist »
Logged

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Simple way to disable Upload Functionality (for Security)
« Reply #26 on: February 15, 2007, 01:16:22 pm »

Done.
Logged
Of all the things I have lost, it is my mind that I miss the most.

mininovax

  • Newbie
  • *
  • Karma: 1
  • Posts: 44
    • http://www.ondapc.net
Simple way to disable Upload Functionality (for Security)
« Reply #27 on: February 21, 2007, 10:29:40 pm »

Quote
Results 1 - 75 of about 175,000 for login snews

Obfusicate the login link, and the site will realistically fail on this search unless you happen to have an article that uses the word 'login'.
 google search for just snews results in  1,640,000 for snews
I had to comment on this matter. The idea that a login link should not be published is like saying that the whole application is unsafe.

Most companies have a login link somewhere on the net. There is no reason why Snews should not have one. I would not focus on obfuscating / hiding / jimmying the login link.


I would focus on a security methodology that works. For example: " Has anyone tried to do a  1-2-3 strikes your out login application? Basically you get maybe (5) tries. If you do not input the correct login, then you are sent to a "Go Away" page - admin is notified of hack attempt ... which might escalate to "firewall rules" to be placed.

I know that this is perhaps harder to do than it seems.
Logged
Pages: 1 [2]