|
|
|
|
Thread title: Is my site secure? |
|
|
|
|
|
Thread tools
Search this thread
Display Modes
|
|
02-24-2007, 10:50 PM
|
#1
|
Status: I love this place
Join date: Jun 2005
Location: UK
Expertise:
Software:
Posts: 562
|
Is my site secure?
www.gunzreplay.com
Basically you should only be allowed to upload .gzr(gunz replays). I want to make sure it can't be exploited or hacked or anything, so can you guys test it for me?
Thanks.
|
|
02-25-2007, 12:54 AM
|
#2
|
Status: Member
Join date: Jan 2007
Location: Belfast, Northern Ireland
Expertise:
Software:
Posts: 316
|
Seems to be fine. Although I'm not an expert at finding exploits/hacking but I've tested for the most common one.
|
|
02-25-2007, 01:45 AM
|
#3
|
Status: I love this place
Join date: Jun 2005
Location: UK
Expertise:
Software:
Posts: 562
|
Who uploaded?
Willing to pay to get this fixed.
|
|
02-25-2007, 11:51 AM
|
#4
|
Status: I'm new around here
Join date: Oct 2006
Location:
Expertise:
Software:
Posts: 1
|
Sorry, I did!
I assume you have the validation simply check to see if the file ends in .gzr?
If you do it that way, all someone has to do is upload an executable file, image, other prog with the ending .gzr and it gets uploaded.
I would suggest validating the mime type - Google is your friend here. You are using php so there are plenty of scripts out there to help.
Nothing is completely foolproof but, as I say, check out how to verify a mime-type.
Hope that helps and I hope I did not scare you
|
|
02-25-2007, 12:46 PM
|
#5
|
Status: Member
Join date: Feb 2006
Location:
Expertise:
Software:
Posts: 191
|
Also make sure the script doesn't overwrite files that already exist. Apart from that, not loads can go wrong with an upload
|
|
02-25-2007, 01:06 PM
|
#6
|
Status: I love this place
Join date: Jun 2005
Location: UK
Expertise:
Software:
Posts: 562
|
Originally Posted by Martha Biggly
Sorry, I did!
I assume you have the validation simply check to see if the file ends in .gzr?
If you do it that way, all someone has to do is upload an executable file, image, other prog with the ending .gzr and it gets uploaded.
I would suggest validating the mime type - Google is your friend here. You are using php so there are plenty of scripts out there to help.
Nothing is completely foolproof but, as I say, check out how to verify a mime-type.
Hope that helps and I hope I did not scare you
|
Yes that's the way I'm doing it. It's not possible to validate the mime type of a .gzr file because it has none. This is my setup:
Code:
<?php
$folder = "replays/"; // Folder in which the files will be uploaded into (needs to be chmoded to 777)
$size_limit = "3072"; // File Size Limit in bytes. Default: 3072 (3mb)
$file_type = "application/octet-stream"; // Type of permited files. Don't change
$file_type2 = "unknown/unknown";
$file_extension = "gzr"; // Extensions of permited files.
$check_for = array("exe", "dll", "zip", "rar", "jpg", "gif", "png", "tiff", "tga", "raw", "bmp", "wdp", "xpm", "mp3", "wav", "flac", "m4a", "wma", "avi", "mpg", "mpeg", "wmv", "ra", "rv", "rm", "rmvb", "ram", "smil", "mp2", "mp1", "ogg", "txt", "doc", "html", "pdf")
?>
Razor, when a file has the same name it adds a 3 digit random code to the start.
|
|
02-25-2007, 02:16 PM
|
#7
|
Status: Request a custom title
Join date: Dec 2005
Location: Arizona
Expertise:
Software:
Posts: 5,200
|
Yeah, before I read your last post, I tried uploading a .html file as .gzr and it worked, but then I read it has no mime-type.
What you can do, is go into cPanel, add an extension of gzr to a known mime-type that is rarely used, and then check for that mime-type. Make sure that the mime-type can't harm your server if anyone figures it out though.
|
|
02-25-2007, 04:28 PM
|
#8
|
Status: Member
Join date: Jan 2007
Location:
Expertise:
Software:
Posts: 311
|
What you can also do for a little bit of extra security if you wanted is that since .gzr doesn't have a mime-type, you could validate an uploaded file and check that the file doesn't have a mime-type. While their is surely more than 1 file type that doesn't have a mime-type, this check would eliminate people trying to upload a file that does in fact have a mime-type.
|
|
|
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
|