Today's Posts Follow Us On Twitter! TFL Members on Twitter  
Forum search: Advanced Search  
Navigation
Marketplace
  Members Login:
Lost password?
  Forum Statistics:
Forum Members: 24,254
Total Threads: 80,792
Total Posts: 566,472
There are 1218 users currently browsing (tf).
 
  Our Partners:
 
  TalkFreelance     Design and Development     Programming     PHP and MySQL :

Is my site secure?

Thread title: Is my site secure?
Closed Thread    
    Thread tools Search this thread Display Modes  
02-24-2007, 10:50 PM
 #1
daz is offline daz
Status: I love this place
Join date: Jun 2005
Location: UK
Expertise:
Software:
 
Posts: 562
iTrader: 5 / 100%
 

daz is on a distinguished road

Send a message via MSN to daz

  Old  Is my site secure?

www.gunzreplay.com

Basically you should only be allowed to upload .gzr(gunz replays). I want to make sure it can't be exploited or hacked or anything, so can you guys test it for me?

Thanks.
02-25-2007, 12:54 AM
 #2
Gerard is offline Gerard
Gerard's Avatar
Status: Member
Join date: Jan 2007
Location: Belfast, Northern Ireland
Expertise:
Software:
 
Posts: 316
iTrader: 7 / 100%
 

Gerard is on a distinguished road

Send a message via MSN to Gerard

  Old

Seems to be fine. Although I'm not an expert at finding exploits/hacking but I've tested for the most common one.
02-25-2007, 01:45 AM
 #3
daz is offline daz
Status: I love this place
Join date: Jun 2005
Location: UK
Expertise:
Software:
 
Posts: 562
iTrader: 5 / 100%
 

daz is on a distinguished road

Send a message via MSN to daz

  Old

Who uploaded?


#test

http://talkfreelance.com/thread32824.html

if this was not a real gzr file what could I do?
Willing to pay to get this fixed.
02-25-2007, 11:51 AM
 #4
Martha Biggly is offline Martha Biggly
Status: I'm new around here
Join date: Oct 2006
Location:
Expertise:
Software:
 
Posts: 1
iTrader: 0 / 0%
 

Martha Biggly is on a distinguished road

  Old

Sorry, I did!

I assume you have the validation simply check to see if the file ends in .gzr?

If you do it that way, all someone has to do is upload an executable file, image, other prog with the ending .gzr and it gets uploaded.

I would suggest validating the mime type - Google is your friend here. You are using php so there are plenty of scripts out there to help.

Nothing is completely foolproof but, as I say, check out how to verify a mime-type.

Hope that helps and I hope I did not scare you

02-25-2007, 12:46 PM
 #5
RaZoR^ is offline RaZoR^
RaZoR^'s Avatar
Status: Member
Join date: Feb 2006
Location:
Expertise:
Software:
 
Posts: 191
iTrader: 1 / 100%
 

RaZoR^ is on a distinguished road

  Old

Also make sure the script doesn't overwrite files that already exist. Apart from that, not loads can go wrong with an upload

02-25-2007, 01:06 PM
 #6
daz is offline daz
Status: I love this place
Join date: Jun 2005
Location: UK
Expertise:
Software:
 
Posts: 562
iTrader: 5 / 100%
 

daz is on a distinguished road

Send a message via MSN to daz

  Old

Originally Posted by Martha Biggly View Post
Sorry, I did!

I assume you have the validation simply check to see if the file ends in .gzr?

If you do it that way, all someone has to do is upload an executable file, image, other prog with the ending .gzr and it gets uploaded.

I would suggest validating the mime type - Google is your friend here. You are using php so there are plenty of scripts out there to help.

Nothing is completely foolproof but, as I say, check out how to verify a mime-type.

Hope that helps and I hope I did not scare you
Yes that's the way I'm doing it. It's not possible to validate the mime type of a .gzr file because it has none. This is my setup:

Code:
<?php

$folder = "replays/"; // Folder in which the files will be uploaded into (needs to be chmoded to 777)
$size_limit = "3072"; // File Size Limit in bytes. Default: 3072 (3mb)
$file_type = "application/octet-stream"; // Type of permited files. Don't change
$file_type2 = "unknown/unknown";
$file_extension = "gzr"; // Extensions of permited files.
$check_for = array("exe", "dll", "zip", "rar", "jpg", "gif", "png", "tiff", "tga", "raw", "bmp", "wdp", "xpm", "mp3", "wav", "flac", "m4a", "wma", "avi", "mpg", "mpeg", "wmv", "ra", "rv", "rm", "rmvb", "ram", "smil", "mp2", "mp1", "ogg", "txt", "doc", "html", "pdf")
?>
Razor, when a file has the same name it adds a 3 digit random code to the start.

02-25-2007, 02:16 PM
 #7
Andrew R is offline Andrew R
Status: Request a custom title
Join date: Dec 2005
Location: Arizona
Expertise:
Software:
 
Posts: 5,200
iTrader: 17 / 95%
 

Andrew R is on a distinguished road

  Old

Yeah, before I read your last post, I tried uploading a .html file as .gzr and it worked, but then I read it has no mime-type.

What you can do, is go into cPanel, add an extension of gzr to a known mime-type that is rarely used, and then check for that mime-type. Make sure that the mime-type can't harm your server if anyone figures it out though.
02-25-2007, 04:28 PM
 #8
Amross is offline Amross
Status: Member
Join date: Jan 2007
Location:
Expertise:
Software:
 
Posts: 311
iTrader: 4 / 100%
 

Amross is on a distinguished road

  Old

What you can also do for a little bit of extra security if you wanted is that since .gzr doesn't have a mime-type, you could validate an uploaded file and check that the file doesn't have a mime-type. While their is surely more than 1 file type that doesn't have a mime-type, this check would eliminate people trying to upload a file that does in fact have a mime-type.
Closed Thread    

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 

  Posting Rules  
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump:
 
  Contains New Posts Forum Contains New Posts   Contains No New Posts Forum Contains No New Posts   A Closed Forum Forum is Closed  

Home   |     |   News   |   Rules   |   FAQ   |  


Powered by HandsOnWebHosting.com

The time is now 12:02 PM (GMT).


Powered by: vBulletin Version 3.8.4 Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.