How secure is my upload routine?

[FalseProphet]

I'm allowing users to upload a file into a directory that is inside of my ftp's root directory(what is the proper term for this area anyway?)

Anyway, I am uploading to this folder:

+ www.mywebsite.com/
+ files/
	+ images/
		- welcome.jpg
+ system/
	- text.txt
- index.php
+ upload/ <-- here, this one right here
- an_uploaded_file.zip

 

If I have a php script that downloads from this folder would I need to worry about someone doing something that is not intended? I don't want someone overwriting my index.php with their own.

[FalseProphet]

Anyone?

[trq]

Can't help much without code, but in general, you should be fine. Your uploading files outside of your web root.

[FalseProphet]

This is my download script:

<?PHP

$getID = strtolower($_GET['file']); 
$fileID = "../../../uploads/" . $getID;
if (strstr($getID,"\\") || strstr($getID,"/") || strstr($getID,"../") || strstr($getID,"%") != TRUE) {
	// header code below taken from php.net
	if (file_exists($fileID)) {
		header('Content-Description: File Transfer');
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename=' . basename($fileID));
		header('Content-Transfer-Encoding: binary');
		header('Expires: 0');
		header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
		header('Pragma: public');
		header('Content-Length: ' . filesize($fileID));
		ob_clean();
		flush();
		readfile($fileID);
	}
	// header code above taken from php.net
	else {
		echo "File does not exist on the server!";
	}
}
else {
	echo "Illegal string not allowed.";
}
?>

[FalseProphet]

I lost the ability to edit my post..? Anyway, here is my Upload script and my download script.

Upload.php

<?PHP 
$fileName = $_FILES['fileupload']['name'];
$pathUploads = "../../../uploads/" . $_FILES['fileupload']['name']; 

if (strstr($_FILES['fileupload']['name'],"../") || strstr($_FILES['fileupload']['name'],"%") != TRUE) {
	if(move_uploaded_file($_FILES["fileupload"]["tmp_name"], $pathUploads)) {
		echo "File uploaded successfully.<br>Download link: <font color=#0055ff>http://mywebsite.com/system/temp/download.php?file=$fileName</font>";
		echo "<br> This link is CASE SENSITIVE!";
	}
	else {
		echo "File size exceeded. Maximum size: 2MB";
	}
}
else {
	echo "File contains illegal characters.";
}
?>

 

Download.php

<?PHP

$getID = $_GET['file']; 
$fileID = "../../../uploads/" . $getID;
if (strstr($getID,"\\") || strstr($getID,"/") || strstr($getID,"../") || strstr($getID,"%") != TRUE) {
	// header code below taken from php.net
	if (file_exists($fileID)) {
		header('Content-Description: File Transfer');
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename=' . basename($fileID));
		header('Content-Transfer-Encoding: binary');
		header('Expires: 0');
		header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
		header('Pragma: public');
		header('Content-Length: ' . filesize($fileID));
		ob_clean();
		flush();
		readfile($fileID);
	}
	// header code above taken from php.net
	else {
		echo "File does not exist on the server!";
	}
}
else {
	echo "Illegal string not allowed.";
}
?>

[FalseProphet]

anyone?

[FalseProphet]

Bring up my post!

[FalseProphet]

I managed to "hack" my own site through exploiting the download script. So no, its not secure at all. 

[the182guy]

You need to check the filename that you are accepting via GET. Make sure it is just plain text with no slashes and the period is not the first character. In both upload and download I would check the file extension aswell, and in the upload check the MIME type too.