How To Prevent People Upload Unwanted .php File
I have a 777 cmod folder open. It needed to be writable so that legitimate users can upload their picture. However, i do not want people to upload .php or .php.pjepg etc to the server.
There are times that they do not use the form in my site to upload the php file. How can they do that? via perl command? And how to prevent such thing from happending?
View Complete Thread with Replies
Sponsored Links:
Related Forum Messages:
PHP File Upload
I think I messed php config and I can't upload anything with php now Dir is chmoded on 777 and File_Uploads = On in php.ini I'm running lsphp5 with suhosin, when I try to import db via phpmyadmin I get error: Uploading is not allowed and when I try to upload some file via php script I can't
View Replies!
View Related
Prevent PHP Files Used For File Uploading
It appears that some people like to take advantage of those files for online web applications such as Wordpress which have php files with permissions set to 777. They use those as a means of creating an upload file. The upload files that they create then have access to the whole server somehow... Is there anyway of preventing this from happening?
View Replies!
View Related
People Uploading Much Bigger Files To My Server, That I Want (using Php)
i have free hosting server and a rule to upload 3MB file max. it works for FTP, but somehow it doesn't work for php. It seems for php the limit on my server is 100MB (no idea why) i use following directives to limit file size in php.ini : ; Maximum size of POST data that PHP will accept. post_max_size = 4M (4 just for some margin ) ; Maximum allowed size for uploaded files. upload_max_filesize = 3M and i still can find 100MB files on disk. this is part of log file from apache from the account that uploaded it to me: Code: boorako.[] someip - - [13/May/2007:12:21:22 +0200] "POST /a/redir.php?capthatag=accesscode&saveto=&path=/some/path/boorako.[]/a&comment=&domail=&email=&useproxy= &proxy=&split=&method=tc&partSize=10&redirto=/a/index.php&link=redir.php?capthatag=accesscode&saveto=&path= /some/path/boorako.[]/a&comment=&domail=&email=&useproxy=&proxy=&split=&method=tc&partSize=10&redirto= /a/index.php&link=[url] HTTP/1.1" 302 188 [url] boorako.[] someip - - [13/May/2007:12:21:35 +0200] "POST /a/redir.php?capthatag=accesscode&saveto=&path=/some/path/boorako.[]/a&comment= &domail=&email=&useproxy= &proxy=&split=&method=tc&partSize=10&redirto=/a/index.php&link=redir.php?capthatag=accesscode&saveto=&path= /some/path/boorako.[]/a&comment=&domail=&email=&useproxy=&proxy=&split=&method=tc&partSize=10&redirto= /a/index.php&link=[url] HTTP/1.1" 302 188 [url] "Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" as the effect of this (at least i think so), there was 100MB file in his home dir. any idea how can he POST such big files even with those two directives? i have also set LimitRequestBody to 5194304 and LimitXMLRequestBody to 5194304 in apache2.conf which also should stop files being POSTED as big as 100MB. i have php 4.4.4-9, Linux Debian, apache 2.2.3 working in worker mpm, and php as fastcgi. P.S. i removed server info like IP, dir and address to not show specifics about my server in public, i put [] there.
View Replies!
View Related
Upload File
I have a forum ( VBulletin ) in admincp Upload file is ok and high, For example .Zip file are max 3 Meg upload, but i want upload .Zip in thread, i can not upload over 1 Mb, and i view database error!
View Replies!
View Related
Cannot Upload File
When I try to install ffmpeg, but it fail. The server cannot upload 1KB file from php. $_FILES['xxx']['size'] return to 0 $_FILES['xxx']['tmp_name'] return to '' Server: CentOS 5.x X86_64 Bit + Cpanel + Apache 1.3 + PHP 4.4.8... Quote: Originally Posted by php.ini ;;;;;;;;;;;;;;;;;;; ; Resource Limits ; ;;;;;;;;;;;;;;;;;;; max_execution_time = 30 max_input_time = 60 memory_limit = 64M ; Maximum size of POST data that PHP will accept. post_max_size = 8M ;;;;;;;;;;;;;;;; ; File Uploads ; ;;;;;;;;;;;;;;;; ; Whether to allow HTTP file uploads. file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). ;upload_tmp_dir = ; Maximum allowed size for uploaded files. upload_max_filesize = 50M
View Replies!
View Related
File Upload - And Timeouts
I run a video script on my new server at leaseweb and had a lot of trouble with timeouts and IO Errors when uploading files to our site. We tried changing a few settings making the environment as liberal as possible. I changed max_input_time and max_execution_time in php.iniI also changed TimeOut in httpd.conf and made sure there is no LimitRequestBody in httpd.conf The tmp directory should have enough space and is writable. So the question is if these changes are not enough because we are still getting these errors. Is there something we are missing. Or does Leaseweb have some invisible incoming bandwidth limit it slaps on its servers by default?
View Replies!
View Related
What Would Prevent A File Being FTPed Immeidately And Showing Up On Website
I am trying to ftp some changes to my site. The strange thing is that while the FTP client (Filezilla) is accepting the new file, it will not show up on the new site. I've tried caching, refreshing browers, and rebooting but nada. I then went back into my FTP client and checked the timestamp of the file being uploaded. For whatever reason, it will not show the most recent time of the file being uploaded, much less accept the most recent upload. Here is a screenshot of what I mean.
View Replies!
View Related
Email And A File Upload Page
A few accounts that will probably hold a few gigabytes worth of data. I need each account to use IMAP and handle up to 5 customer service reps simultaneously accessing the same account via IMAP. * We tried this previously with Google for domains but were limited to 10 simultaneous connections via IMAP * Website Just a basic LAMP setup is fine and the mysql isn't even necessary. I will be hosting a basic form for hi-res photo uploading though so I need to have a pretty high timeout and memory limit for php. As far as traffic on the site is concerned, I don't anticipate more than a handful of users on the site at a time. My question is - do you think a good shared host in the $10 a month range could handle a project like this? Can you recommend one? I can setup a VPS on Linode for $20 a month that I'm sure could handle this, but I'm not a server admin and don't want to risk managing sensitive data myself.
View Replies!
View Related
Mod_security- Hacker Still Upload File..
I just have someone uploading file via php on a website, i need a way to block that kind of attack via mod security? can add in mod security to avoid this? 89.146.147.144 - - [17/Jan/2007:12:24:11 -0600] "GET /favicon.ico HTTP/1.1" 404 1002 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1" 89.146.147.144 - - [17/Jan/2007:12:24:23 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/&newdir=bh HTTP/1.1" 200 154634 [url] x=************.***??" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1" 89.146.147.144 - - [17/Jan/2007:12:24:32 -0600] "GET /XXXX/index.php?x=************.***?&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/ HTTP/1.1" 200 7444 [url "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1" 89.146.147.144 - - [17/Jan/2007:12:24:41 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/&newdir=************.*** HTTP/1.1" 200 8422 [url] "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
View Replies!
View Related
File Upload Security On XO - Built In
My website, a free classified ads site, is hosted by XO, the hosting company. I'm introducing a feature where advertisers can, for free, post pictures of the things that they're advertising -- that is, where advertisers can upload a JPEG or a GIF. I understand that this can open my site up to the uploading of malicious code, and that I should put safeguards in place to make sure that only JPEGs and GIFs get uploaded. However, I'm wondering if XO doesn't include some built-in safeguards that would keep malicious code from getting executed. In other words, since a profesional hosting company runs the servers -- not me -- do I need to be worried about security at all?
View Replies!
View Related
How To Prevent Customer From Using PHP Scripts
Is there a way that I can prevent certain customers from using PHP scripts with their account? For example, I'm planning to offer some free hosting accounts (along with paid ones) but do not plan to allow PHP or Perl scripts with the free accounts as I'm worried about the server being exploited. (That could also happen with paid accounts but less likely.)
View Replies!
View Related
Moving Large File Storage, Upload/download To Amazon S3
I'm currently running on a VPS. My site allows for large file uploads and downloads, with files over 600mb in size. The server has issues when the site gets three or more requests for large file downloads. I'm trying to grow this site to thousands of users and it is hard to do when the site can't handle even three. I've been told by my host that I need to upgrade to dedicated. My VPS only has 512mb RAM and one large file download is eating up that RAM. This is causing the issue. I'm a newbie and while I knew I was risking a bit by going with VPS I do find it a bit annoying that these guys advertise 1TB of bandwidth per month but I can't even support downloading 1GB at the same time....maybe it's just me... Anyway, I am now looking into moving the large files and the upload/download over to Amazon S3. If I do this I am expecting my RAM usage on the VPS to greatly decrease. Is this correct? If my PHP code is running on the VPS, but the actual file download via HTTP is coming from S3, that should not be a heavy load on my box, correct? any opinions on S3?
View Replies!
View Related
Prevent Httpd/php Core Dumping
for the 2nd time now we've had php become corrupt or something and core dump all over user dirs filling them up with useless garbage ... We did check the core dumps (atleast a couple) and they were just showing that php was seg faulting which a php recompile took care off (most likely a corrupt php binary) anyway, what I'd like to know is can anyone recommend a reliable/safe way of disabling php or http from dumping core files and perhaps instead use a different method of notifying the admin of impending or current issues with either software eg. when they seg fault send an email to admin rather than dump a core in user's space We're running cpanel servers, php4, rhel and phpsuexec is on (cgi)
View Replies!
View Related
Can't Upload Via Php Script
I am having problems on my server... I can't upload files via php script because of a time out... when i upload files that take 2-3 min upload i get timeout... everything under that is normaly uploaded ... execution time is set to 3000 .. same problem again.. file size limit set over 200MB ... (trying to upload 20-30MB) ... timeout... etc...
View Replies!
View Related
Links Files In Linux (file.txt For File.php)
Today I found some cstomer on the servers make a link for named it file.txt and link it to other customer php file. so that customer have the ability to show the other custoer file content when visiting the url because it is a text wile originally it is a php file. the php file was a config file, so now he know the database password , and because he is in the same server he can use that databse. the question , how to avoide this prolem in the future? notes , the SuExec is rnning and the open_basedir protection is enabled, but the problem still exists.
View Replies!
View Related
Strange PHP File On My VPS. (oxb.php)
I found a strange PHP file in a strange folder on a VPS I am using to host a few sites. I've looked through the logs but can't figure out how it got there and I've look at the code and can't make any sense of it. Can somebody take a look at the code and tell me what they think of it: .....
View Replies!
View Related
Unwanted Code In Index.html
I have multiple demo websites under single domain. and in each folder default page is as index.html few days back i have observed a blank space on each index.html. when i check the code then i have found an auto generated code just after the body tag in index.html. the code is as follows <div style="visibility:hidden"><iframe src="[url] Also I am getting Question marks (?) in some blank spaces in HTML preview. I have removed it but it again appears after some time. I have contacted to server support but they said that this is SQL Injection attack but there is no database connectivity involved in any of my websites.
View Replies!
View Related
Every Email Which Sends Outputs Unwanted Lines
Every email which gets automatically sent out from my server begins with: Reply-To: noreply@MYDOMAIN.com X-Mailer: PHP/4.4.7 Message-Id: <20080319210750.564111CEC004@mx.MYDOMAIN.com> Date: Wed, 19 Mar 2008 22:07:50 +0100 (CET) Dear DOMAIN.com Member, This is not in our PHP code or anything, and I can't seem to remove it, its just a tad annoying. How do I remove it?
View Replies!
View Related
Is It A Hacking Attempt.. Request Of Wierd Files Along With Unwanted SSL Handshake
I see following errors in my server ie. httpd error logs: Code: [Mon Mar 30 07:23:55 2009] [error] mod_ssl: SSL handshake failed (server localhost:443, client 79.132.204.192) (OpenSSL library error follows) [Mon Mar 30 07:23:55 2009] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [Mon Mar 30 07:23:55 2009] [error] mod_ssl: SSL handshake failed (server localhost:443, client 60.63.241.18) (OpenSSL library error follows) [Mon Mar 30 07:23:55 2009] [error] OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [Hint: speaking not SSL to HTTPS port!?] [Mon Mar 30 07:23:56 2009] [error] [client 114.224.169.0] File does not exist: /var/www/html/XRkVCfvCJ/GzTk/ChDbhf/-YSDDv/1Sch/2hfMMf/-M0DO/ACDEzXMEM/CYSkGFj/SGXtEUX0W/0KMV/RKJ2fTUDC/bFT/SX00/VtJVht/D1XvJBgHP/5lll.gif [Mon Mar 30 08:46:42 2009] [error] server reached MaxClients setting, consider raising the MaxClients setting In last you can see that MySQL reached maximum allowed client ..and it crashed Also, at regular intervals I see such requests: /var/www/html/XRkVCfvCJ/GzTk/ChDbhf/-YSDDv/1Sch/2hfMMf/-M0DO/ACDEzXMEM/CYSkGFj/SGXtEUX0W/0KMV/RKJ2fTUDC/bF/SX00/VtJVht/D1XvJBgHP/5lll.gif Also I see SSL handshake failure notices while I do not have any SSL cert or SSL running site on this server.
View Replies!
View Related
Php File Corruption
I have a Linux VPS with Liquidweb which is working fine except for one problem: On one domain I have a shopping cart (a highly modded CubeCart). A number of the files are encrypted php files (part of the extensive mods). For several weeks all will work fine, then out of the blue, the cart will stop working because a number of the encrypted files have become corrupt. The result is either a totally blank page or a 'checksum error'. Uploading the files from a local backup fixes things for another few days or weeks. I have no idea why this is happening, or what triggers it, so if anyone can point me in the right direction to find out what is behind the problem, I would greatly appreciate it. The server uses PHP 5.2.x
View Replies!
View Related
Cron: How To Run Php File
My server with cPanel, I'd like run file http://domain.com/file.php at 0h00 everyday, I have set the Cron Job in cPanel : Code: 0 0 * * * /usr/bin/ehpwget http://domain.com/file.php but The cron is not working well Code: /bin/sh: /usr/bin/ehpwget: No such file or directory Can any one please let me know how to run a php file with cron. (as user or root)
View Replies!
View Related
[php] <defunct> - What File Generating That ?
On my server, i have one user ho create load on my server. user 29508 22.0 0.0 0 0 ? Z 15:18 0:00 [php] <defunct> That user has more site added with addons from cpanel. How can I found witch site is generating that high load ? Also some time, I have php index.php ( and that don't help me very much ) The server run php as cgi module.
View Replies!
View Related
PHP Permissions (file Owner)
I have setup an ftp user which can upload files to /home/ftp/upload and obviously it assigns the ftp user as the owner when it uploads. Now, I want PHP to be able to rename those files, but getting a permission denied, presumably because apache aint the owner or doesnt have permission to do that, so how do I grant it the right permission(s)?
View Replies!
View Related
PHP File Change String
I currently have this code in my Image Upload script which changes the file name into sets of numbers and letters Quote: $new_file_name = "uploads/" . md5($_FILES['selector']['name'] . time()) . "." . $extension; How can i make it so its smaller than an md5, about 6 or 7 numbers and letters.
View Replies!
View Related
Mod_rewrite - Changing Paths In The Php File?
I am using mod_rewrite to create "pretty" urls but some of my files contain paths such as this: <img src="images/blah.jpg"> Meaning if the user visits a page where the file does not physically exist then it won't work. I want to know if it is possible to pick this up and rewrite the path. I.e.: change: <img src="images/blah.jpg"> to: <img src="../images/blah.jpg"> or <img src="../../images/blah.jpg"> As I don't want to create physical files with relative urls for every trunk of my url. For example: www.mydomain.com/directory/directory/directory/ Would need 3 different files in three different directories to display properly.
View Replies!
View Related
Chmod Choices With Php Writing To A File
My account has been hacked with every index.php page defaced. I've cleaned up and my shared wehost is pointing at me saying there shouldn't be any 777 permissions for any files in there. I used 777 to allow php to add records in a txt file and in an xml file. Is there a better / more secure chmod code I can use? Those are the only two instances where I need php to write to a file and those files shouldn't be served to anyone, I do not want anyone to be able to access them. How can I secure them while letting php write in them?
View Replies!
View Related
Php.ini And .htaccess File Permissions
I'm on a shared FreeBSD server, running Apache with Drupal, and vBulletin. I had to create a local php.ini file in my public_html folder for Drupal, and another in my forum folder for vBulletin. Now my question is, what should I set the permissions of these files to? Also, what should I set .htaccess permissions to as well? I'd like to keep them invisible to the public. But, I don't want any problems with Drupal, or vBulletin ether. I'm used to using Linux and I know how permissions work on a desktop. I just don't know what they do when used on a server. I'm guessing 640, but I'd like to make sure before I change anything.
View Replies!
View Related
Strip Whitespace From Each Line Of PHP File
I have a load of PHP files that need trimming down, so for example Code: <html> <?php $loads_of_stuff = 1231231; ?> </html> change to Code: <html> <?php $loads_of_stuff = 1231231; ?> </html> There are 000's of lines, so some awk command or something similiar would be great to execute on each file.
View Replies!
View Related
How To Secure Your Php.ini File Safe Mode ; Disable_functions ; Etc
what are the most important issues for secure php.ini file like when you turn your SAFE_MODE ON or OFF? or please who every read this topic to post his important disable_functions in php.ini ... and if some functions disable to post it ... let's make this subject for the most important issues for secure your php.ini from script-kids as we can ... here i have some important question's for anyone has or controlling a server ; vps .... #0x01 ; what the most important disable_functions for the php.ini? #0x02 ; is the safe_mode should be enabled? or disable? and this depend on what exacly? #0x03 ; what the functions or any trick to control the nobody ( attacker on the server or shell ) FROOZ .... didn't move ? or make any command in the server ... #0x04 ; i saw in some secure server ( as they say ) they changed the Server : discribe to them name[s] like Server : SECURE BY US .COM OR SECURE SERVER .. uname -a : Linux secure.secure.com 2.6.9-023stab040.1 #1 Mon Jan 15 23:24:32 MSK 2007 i686 athlon i386 GNU/Linux sysctl : linux 2.6.9-023stab040.1 Server : SECURE BY US ! < [THIS WHAT I MEAN HOW COULD WE CHANGE IT IN PHP.ini ?] id : uid=99(nobody) gid=99(nobody) groups=99(nobody) <[how can we cannot make this nobody to have the host id ! everyhost in the server should have his own name and php.ini ?] pwd : /home/host/public_html/ #0x05 ; how can we hide the uname -a on the shell [ the attacker upload it to our customer site !] #0x06 ; how can we hide the sysctl to view to anyone like [ attacker ] ... #0x07 ; how can we rewrite on he Server Type the display for our secure message?Server : SECURE BY US ! #0x08 ; how can we give evey site and customer his php.ini file in his public_html? and how can we give him [ JUST HIS PERMISSION TO HIS SITES FOLDER AND NOT OTHER PATHS AND PERMISSION!] these question every one had a server ; vps , need to know and secure his box from other ... and anyone would like to publish any new [secure or not] idea please let us know what you would like to say ....
View Replies!
View Related
Simpleish PHP/flat Files - Create File, Edit, Save
Display some text in a web browser from a file called text.txt text.txt will have many lines and some of them I do not want users to be able to modify and overwrite. config_item_1=user can edit config_item_2=user should see but not edit (could be on any line) config_item_3=user can edit config_item_4=user can edit The user has made their changes in the web browser and clicks submit. I then need this info to be saved as the text.txt file however some checking needs to be done first. Anything matching config_item_2 should be removed. This could be on any line. Anything not matching should be permitted and added.
View Replies!
View Related
How Many People Use VMWare?
I'm not sure how many people here use VMWare, but I'll give this question a shot... I'm looking for a solution similar to Winrar that can view the contents of the .vmdk file. Either to extract any files, or just view the contents without having the have the virtual machine online. I checked Google as well as VMWare's forums/website with no avail.
View Replies!
View Related
|
TRACKER
