-
June 8th, 2004, 09:03 PM
#1
Junior Member
What could happen with upload img script?
Hi all,
On a site I own I have a simple PHP upload script (source code at bottom of the post). I checked the directory the uploads goto and saw a file called something similar to :
1111111111111111111111111111111111111111111111.jpg (but with about 10 times more 1's). So I downloaded it to see what it was and it said "You've been hacked by crfs". So obviously, this image was intended to overflow my script.
Firstly, what could he gain access to if he did manage to overflow it? I've read up on application buffer overflows (software) but not so much on web-based overflows (the first thing ima do after this post is look up on them).
Second, how could I prevent users from being able to upload scripts over 30 characters or something?
Well, here is the source :
<FORM ENCTYPE="multipart/form-data" ACTION="image.php" METHOD="POST">
<html>
<link href="style.css" rel="stylesheet" type="text/css">
<body bgcolor="#647181">
<table><tr><td>
<font color="#ffffff">Select a file to upload. Only jpg/gif allowed. :</font> <INPUT TYPE="file" NAME="userfile">
<INPUT TYPE="submit" VALUE="Upload">
</FORM>
PHP Code:
<?php
$path = "";
$max_size = 100000;
if (!isset($HTTP_POST_FILES['userfile'])) exit;
if (is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {
if ($HTTP_POST_FILES['userfile']['size']>$max_size) { echo "The file is too big \n"; exit; }
if (($HTTP_POST_FILES['userfile']['type']=="image/gif") || ($HTTP_POST_FILES['userfile']['type']=="image/pjpeg") || ($HTTP_POST_FILES['userfile']['type']=="image/jpeg")) {
if (file_exists($path . $HTTP_POST_FILES['userfile']['name'])) { echo "The file already exists \n"; exit; }
$res = copy($HTTP_POST_FILES['userfile']['tmp_name'], $path .
$HTTP_POST_FILES['userfile']['name']);
if (!$res) { echo "Upload Failed! \n"; exit; } else { echo "Upload Successful \n"; }
echo "\n\nFile Name: http://www.censored.net/incoming/".$HTTP_POST_FILES['userfile']['name']." \n";
echo "File Size: ".$HTTP_POST_FILES['userfile']['size']." bytes \n";
echo "File Type: ".$HTTP_POST_FILES['userfile']['type']." \n";
} else { echo "Wrong file type \n"; exit; }
}
?>
</td></tr></table>
</body>
</html>
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|