PDA

View Full Version : Help with is_uploaded_file


akanevsky
04-25-2005, 06:33 PM
I am trying to make a hack here, which requires inserting something into $_FILES array even though it was not really posted. Of course, is_uploaded_file gives me false and the script does not work. Here it is:


$handle = @fopen($url, 'rb');
$contents = "";
while (!feof($handle))
{
$contents .= fread($handle, 8192);
}
fclose($handle);

$tmp_name = 'vbupload' . substr(TIMENOW, -4);
$filesize = strlen($contents);

// write file to temporary directory...
if ($vboptions['safeupload'])
{
// ... in safe mode
$filename = $vboptions['tmppath'] . "/$tmp_name";
$filenum = @fopen($filename, 'wb');
@fwrite($filenum, $contents);
@fclose($filenum);
}
else
{
// ... in normal mode
$filename = tempnam(ini_get('upload_tmp_dir'), 'vbupload');
$fp = @fopen($filename, 'wb');
@fwrite($fp, $contents);
@fclose($fp);
}

$_FILES["attachment$key"]['name'] = preg_replace('/http:\/\/(.*)\//si', '', $url);
$_FILES["attachment$key"]['type'] = '';
$_FILES["attachment$key"]['size'] = $filesize;
$_FILES["attachment$key"]['tmp_name'] = $filename;
$_FILES["attachment$key"]['error'] = 0;


Yeah... So is there any way to go around is_uploaded_file and make the system think it was uploaded, am I doing something wrong or what?

filburt1
04-25-2005, 06:44 PM
The point is is_uploaded_file() is to verify that the user really did upload a file. Without it, the user can access arbitrary files on the system. I suggest using some other method of faking a file upload.

akanevsky
04-25-2005, 06:46 PM
Like what? Plus, using preg_replace and preg_match I could check that the file is really remote..

Or can files that are not normally accessible be opened via fopen?

noppid
04-25-2005, 07:22 PM
Like what? Plus, using preg_replace and preg_match I could check that the file is really remote..

Or can files that are not normally accessible be opened via fopen?

There are approximatly 67 ways to exploit your site using fopen libs to access remote files. That's just the tip of the iceburg.

You can ruin the end users experience if the remote file fails as well.

http://blog.unitedheroes.net/archives/p/1630/

http://us2.php.net/manual/en/ref.curl.php

The other issues I guess are related to trying to hook into the vB API to create an attachment? I'm not sure with the little code snippet you posted.

akanevsky
04-25-2005, 07:50 PM
Yeah, I was trying to hook into vb API to pseudo post an attachment from an URL.

So, there is no safe way to upload a remote file?

noppid
04-25-2005, 08:12 PM
Yeah, I was trying to hook into vb API to pseudo post an attachment from an URL.

So, there is no safe way to upload a remote file?

No, just use that curl code sample cut and paste to avoid exploits and make sure the user page does not hang. Of course you can read and tighten it up if you desire.

I would take the snippets from the API to post the attachment and do the checks on your end.

I don't know enough about all of your code to suggest more ATM, but you are close.

akanevsky
04-25-2005, 08:48 PM
Hmm... I don't have much experience on the part of reading and managing files...

What kind of exploits could there be? Or is that curl snippet safe enough?

The code I posted is a slight variation of the one you can find in the vBulletin process_image_upload() function, which is used for uploading URL avatars.. However, it has no is_uploaded_file check in there, unlike in attachments.

noppid
04-25-2005, 08:52 PM
Hmm... I don't have much experience on the part of reading and managing files...

What kind of exploits could there be? Or is that curl snippet safe enough?

The code I posted is a slight variation of the one you can find in the vBulletin process_image_upload() function, which is used for uploading URL avatars.. However, it has no is_uploaded_file check in there, unlike in attachments.

Things change, so will the code eventually. It's getting attention now and will be exploited eventually. But that's another subject. Following some of those links should tell you the details.

I would say the curl snippet is very safe in comparison. But that is subjective of course.

Are you pulling images? Does your code ask for a url and fetch the object on demand as opposed to an upload form?

akanevsky
04-26-2005, 12:49 PM
No, not necessarily images.
I am trying to enchance the attachment form with an url upload instead of just upload form. So that would be any files that have an acceptable extension (defined in vb admincp)