-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 13 Feb 2001, jason cox wrote:
> Aaron,
>
> Are you processing the file on the page you're
> "posting" to?
Yep. A little more info this time. Ok this makes no freaking sense to
me:
I can upload my /etc/passwd file
- -rw-r--r-- 1 root root 998 Dec 9 01:44 /etc/passwd
I can't upload other random files in my home directory which I own/have
read access to.
- -rw-rw-r-- 1 aturner aturner 84558 Jan 9 17:01 /home/aturner/1323.txt
> Could you send your processing code so
> we can have a look? If you're still having problems,
> I can send you an example.
Sure:
<?PHP
require "security.inc"; # checks user cookie to see if they have access
include "connect.inc"; # connects to database
function is_an_uploaded_file($filename) {
if (! $tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempname('', ''));
}
$tmp_file .= '/' . basename($filename);
# User might have trailing / in php.ini
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}
function abortupload($message) {
echo "<H1 align=center>$message</H1>";
unlink ($HTTP_POST_FILES[userfile][tmp_name]);
phpinfo();
echo "</BODY></HTML>";
exit;
}
?>
<HTML>
<HEAD>
<TITLE>Sunnyvale Staging Server</TITLE>
</HEAD>
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<BODY
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#000080"
ALINK="#FF0000"
>
<font size=-1>[ <a href="/">Main Index</a> ]</font>
<?PHP
if ($uploadingfile == "") {
$line = "<form enctype='multipart/form-data' action='/admin/upload.php' method='post'>
<input type=hidden name=MAX_FILE_SIZE value=5000>
<input type=hidden name=uploadingfile value=true>
Choose upload location: <select name=directory>
<option name=Files>Files</option>
<option name=Docs>Documentation</option>
</select>\n<P>";
echo $line;
echo "Link Description: <input type=text name=description size=80 value=''><P>\n";
echo "Detailed Description:<br><textarea wrap=soft name=info rows=5
cols=80></textarea><P>\n";
echo "<input type=hidden name=urltype value=file>";
echo "Active: <select name=active><option value=y>Yes</option><option
value=n>No</option><option value=s>Submitted</option></select><P>\n";
$result = mysql_query("SELECT * FROM groups");
$line = "<select name=urlgroup>";
while ($row = mysql_fetch_array($result)) {
$line .= "<option value=$row[groupID]>$row[groupname] ($row[page])</option>";
}
$line .= "</select><P>\n";
# echo "Group: $line";
echo "<input type=hidden name=urlgroup value=1>";
echo "Choose File: <input name=userfile size=69 type=file value=''><P>\n";
echo "<input type=submit value='Send File'></form>";
} else {
$location = "";
if ($HTTP_POST_VARS[directory] = "Files") {
$location = "/usr/local/apache1.3.14/htdocs/Files";
} elseif ($HTTP_POST_VARS[directory] = "Docs") {
$location = "/usr/local/apache1.3.14/htdocs/Docs";
} else {
abortupload ("Error! Invalid Directory value: $HTTP_POST_VARS[directory]");
}
if ($description == "") {
abortupload("Error! Please provide a description for this document");
} elseif ($info == "") {
abortupload("Error! Please provide information for this document");
}
if ($uploadfile = is_an_uploaded_file($userfile)) {
$uploadfile = $location . "/" . $HTTP_POST_FILES[userfile][name];
copy ($userfile, $uploadfile);
$result = mysql_query("SELECT * FROM users WHERE LoginName = '$loginname'
LIMIT 1");
$userrow = mysql_fetch_array($result);
$url = "/" . $HTTP_POST_VARS[directory] . "/" .
$HTTP_POST_FILES[userfile][name];
$mirror = 0;
$result = mysql_query("SELECT * FROM urls WHERE url = '$url'");
if ($existing = mysql_fetch_array($result)) {
if ($existing[owner] != $userrow[UserID]) {
abortupload("Error: Your user ID doesn't have permission to modify
this file.");
}
} else {
$result = mysql_query("INSERT INTO urls (owner, urlgroup, url, urldesc, info,
active, mirror, urltype) VALUES ('$userrow[UserID]', '$HTTP_POST_VARS[urlgroup]',
'$url', '$HTTP_POST_VARS[description]', '$HTTP_POST_VARS[info]',
'$HTTP_POST_VARS[active]', '$mirror', '$HTTP_POST_VARS[urltype]')");
echo "<H1 align=center>File upload complete!</H1>";
}
} else {
abortupload("Possible file upload attack: filename: " .
$HTTP_POST_FILES["userfile"]["name"] . ".");
}
}
?>
</body>
</html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
iEYEARECAAYFAjqJ08sACgkQhweYF/hu2ubukACbBij1wtVYr1gTngdHsXgrKmOr
ai8AnicSOVkP6OS1qiwfSQBBPqmL566k
=kNOr
-----END PGP SIGNATURE-----
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
