From 082c113d67fe20c84c2591043f126d9023878847 Mon Sep 17 00:00:00 2001 From: azett Date: Mon, 31 Dec 2018 15:13:49 +0100 Subject: [PATCH] Security: PHP files can not be uploaded any more - see https://www.exploit-db.com/exploits/39870 --- admin/panels/uploader/admin.uploader.php | 162 +++++++++++++---------- 1 file changed, 90 insertions(+), 72 deletions(-) diff --git a/admin/panels/uploader/admin.uploader.php b/admin/panels/uploader/admin.uploader.php index 0c627bf..30ec9c9 100755 --- a/admin/panels/uploader/admin.uploader.php +++ b/admin/panels/uploader/admin.uploader.php @@ -3,87 +3,105 @@ /** * uploader control panel * - * Type: - * Name: - * Date: - * Purpose: + * Type: + * Name: + * Date: + * Purpose: * Input: - * - * @author NoWhereMan * + * @author NoWhereMan + * */ - class admin_uploader extends AdminPanel { - var $panelname = 'uploader'; - var $actions = array('default'=>true); +class admin_uploader extends AdminPanel { + + var $panelname = 'uploader'; + + var $actions = array( + 'default' => true + ); + +} + +class admin_uploader_default extends AdminPanelAction { + + var $events = array( + 'upload' + ); + + function main() { + if ($f = sess_remove('admin_uploader_files')) + $this->smarty->assign('uploaded_files', $f); } - - class admin_uploader_default extends AdminPanelAction { - - var $events = array('upload'); - - function main() { - if ($f = sess_remove('admin_uploader_files')) - $this->smarty->assign('uploaded_files', $f); - } - - function onupload() { - - $success = false; - - if (!file_exists(IMAGES_DIR)) - fs_mkdir(IMAGES_DIR); - - if (!file_exists(ATTACHS_DIR)) - fs_mkdir(ATTACHS_DIR); + function onupload() { + $success = false; + + if (!file_exists(IMAGES_DIR)) + fs_mkdir(IMAGES_DIR); + + if (!file_exists(ATTACHS_DIR)) + fs_mkdir(ATTACHS_DIR); + + $imgs = array( + '.jpg', + '.gif', + '.png', + '.jpeg' + ); + $forbidden = array( + '.php', + '.php3', + '.php4', + '.php5', + '.php7', + '.phtml' + ); + + // intentionally + // I've not put BMPs + + $uploaded_files = array(); + + foreach ($_FILES ["upload"] ["error"] as $key => $error) { + if ($error == UPLOAD_ERR_OK) { + $tmp_name = $_FILES ["upload"] ["tmp_name"] [$key]; + $name = $_FILES ["upload"] ["name"] [$key]; - $imgs = array('.jpg','.gif','.png', '.jpeg'); - - //intentionally - //I've not put BMPs - - $uploaded_files=array(); - - foreach ($_FILES["upload"]["error"] as $key => $error) { - - if ($error == UPLOAD_ERR_OK) { - $tmp_name = $_FILES["upload"]["tmp_name"][$key]; - $name = $_FILES["upload"]["name"][$key]; - - $dir = ATTACHS_DIR; - - $ext = strtolower(strrchr($name,'.')); - - if (in_array($ext,$imgs)) { - $dir = IMAGES_DIR; - } - - $name = sanitize_title(substr($name, 0, -strlen($ext))) . $ext; - - $target = "$dir/$name"; - @umask(022); - $success = move_uploaded_file($tmp_name, $target); - @chmod($target,0766); - - $uploaded_files[] = $name; - - // one failure will make $success == false :) - $success &= $success; - - + $dir = ATTACHS_DIR; + + $ext = strtolower(strrchr($name, '.')); + + if (in_array($ext, $forbidden)) { + $success = false; + continue; + } + if (in_array($ext, $imgs)) { + $dir = IMAGES_DIR; } + $name = sanitize_title(substr($name, 0, -strlen($ext))) . $ext; + + $target = "$dir/$name"; + @umask(022); + $success = move_uploaded_file($tmp_name, $target); + @chmod($target, 0766); + + $uploaded_files [] = $name; + + // one failure will make $success == false :) + $success &= $success; } - - if ($uploaded_files) { - $this->smarty->assign('success', $success? 1 : -1); - sess_add('admin_uploader_files', $uploaded_files); - } - - return 1; - } + + if ($uploaded_files) { + $this->smarty->assign('success', $success ? 1 : -1); + sess_add('admin_uploader_files', $uploaded_files); + } + + return 1; } - - ?> + +} + +?>