Beanz/flatpress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: PHP files can not be uploaded any more - see https://www.exploit-db.com/exploits/39870

Browse Source
This commit is contained in:
azett 2018-12-31 15:13:49 +01:00
parent 1415afc6b1
commit 082c113d67
1 changed files with 90 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
admin/panels/uploader/admin.uploader.php
View File

@ -12,15 +12,21 @@
* @author NoWhereMan <real_nowhereman at users dot sf dot com> * @author NoWhereMan <real_nowhereman at users dot sf dot com>
* *
*/ */
class admin_uploader extends AdminPanel { class admin_uploader extends AdminPanel {
var $panelname = 'uploader'; var $panelname = 'uploader';
var $actions = array('default'=>true);
}
var $actions = array(
'default' => true
);
class admin_uploader_default extends AdminPanelAction { }
var $events = array('upload'); class admin_uploader_default extends AdminPanelAction {
var $events = array(
'upload'
);
function main() { function main() {
if ($f = sess_remove('admin_uploader_files')) if ($f = sess_remove('admin_uploader_files'))
@ -28,7 +34,6 @@
} }
function onupload() { function onupload() {
$success = false; $success = false;
if (!file_exists(IMAGES_DIR)) if (!file_exists(IMAGES_DIR))
@ -37,25 +42,41 @@
if (!file_exists(ATTACHS_DIR)) if (!file_exists(ATTACHS_DIR))
fs_mkdir(ATTACHS_DIR); fs_mkdir(ATTACHS_DIR);
$imgs = array(
'.jpg',
'.gif',
'.png',
'.jpeg'
);
$forbidden = array(
'.php',
'.php3',
'.php4',
'.php5',
'.php7',
'.phtml'
);
$imgs = array('.jpg','.gif','.png', '.jpeg'); // intentionally
// I've not put BMPs
//intentionally $uploaded_files = array();
//I've not put BMPs
$uploaded_files=array(); foreach ($_FILES ["upload"] ["error"] as $key => $error) {
foreach ($_FILES["upload"]["error"] as $key => $error) {
if ($error == UPLOAD_ERR_OK) { if ($error == UPLOAD_ERR_OK) {
$tmp_name = $_FILES["upload"]["tmp_name"][$key]; $tmp_name = $_FILES ["upload"] ["tmp_name"] [$key];
$name = $_FILES["upload"]["name"][$key]; $name = $_FILES ["upload"] ["name"] [$key];
$dir = ATTACHS_DIR; $dir = ATTACHS_DIR;
$ext = strtolower(strrchr($name,'.')); $ext = strtolower(strrchr($name, '.'));
if (in_array($ext,$imgs)) { if (in_array($ext, $forbidden)) {
$success = false;
continue;
}
if (in_array($ext, $imgs)) {
$dir = IMAGES_DIR; $dir = IMAGES_DIR;
} }
@ -64,26 +85,23 @@
$target = "$dir/$name"; $target = "$dir/$name";
@umask(022); @umask(022);
$success = move_uploaded_file($tmp_name, $target); $success = move_uploaded_file($tmp_name, $target);
@chmod($target,0766); @chmod($target, 0766);
$uploaded_files[] = $name; $uploaded_files [] = $name;
// one failure will make $success == false :) // one failure will make $success == false :)
$success &= $success; $success &= $success;
} }
} }
if ($uploaded_files) { if ($uploaded_files) {
$this->smarty->assign('success', $success? 1 : -1); $this->smarty->assign('success', $success ? 1 : -1);
sess_add('admin_uploader_files', $uploaded_files); sess_add('admin_uploader_files', $uploaded_files);
} }
return 1; return 1;
}
} }
?> }
?>