Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
  #1  
Old 04-25-2005, 06:33 PM
akanevsky akanevsky is offline
 
Join Date: Apr 2005
Posts: 3,972
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Help with is_uploaded_file

I am trying to make a hack here, which requires inserting something into $_FILES array even though it was not really posted. Of course, is_uploaded_file gives me false and the script does not work. Here it is:

PHP Code:
    $handle = @fopen($url'rb');
    
$contents "";
    while (!
feof($handle))
    {
        
$contents .= fread($handle8192);
    }
    
fclose($handle);

    
$tmp_name 'vbupload' substr(TIMENOW, -4);
    
$filesize strlen($contents);

    
// write file to temporary directory...
    
if ($vboptions['safeupload'])
    {
        
// ... in safe mode
        
$filename $vboptions['tmppath'] . "/$tmp_name";
        
$filenum = @fopen($filename'wb');
        @
fwrite($filenum$contents);
        @
fclose($filenum);
    }
    else
    {
        
// ... in normal mode
        
$filename tempnam(ini_get('upload_tmp_dir'), 'vbupload');
        
$fp = @fopen($filename'wb');
        @
fwrite($fp$contents);
        @
fclose($fp);
    }

    
$_FILES["attachment$key"]['name'] = preg_replace('/http:\/\/(.*)\//si'''$url);
    
$_FILES["attachment$key"]['type'] = '';
    
$_FILES["attachment$key"]['size'] = $filesize;
    
$_FILES["attachment$key"]['tmp_name'] = $filename;
    
$_FILES["attachment$key"]['error'] = 0
Yeah... So is there any way to go around is_uploaded_file and make the system think it was uploaded, am I doing something wrong or what?
Reply With Quote
  #2  
Old 04-25-2005, 06:44 PM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The point is is_uploaded_file() is to verify that the user really did upload a file. Without it, the user can access arbitrary files on the system. I suggest using some other method of faking a file upload.
Reply With Quote
  #3  
Old 04-25-2005, 06:46 PM
akanevsky akanevsky is offline
 
Join Date: Apr 2005
Posts: 3,972
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Like what? Plus, using preg_replace and preg_match I could check that the file is really remote..

Or can files that are not normally accessible be opened via fopen?
Reply With Quote
  #4  
Old 04-25-2005, 07:22 PM
noppid noppid is offline
 
Join Date: Mar 2003
Location: Florida
Posts: 1,875
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dark Visor
Like what? Plus, using preg_replace and preg_match I could check that the file is really remote..

Or can files that are not normally accessible be opened via fopen?
There are approximatly 67 ways to exploit your site using fopen libs to access remote files. That's just the tip of the iceburg.

You can ruin the end users experience if the remote file fails as well.

http://blog.unitedheroes.net/archives/p/1630/

http://us2.php.net/manual/en/ref.curl.php

The other issues I guess are related to trying to hook into the vB API to create an attachment? I'm not sure with the little code snippet you posted.
Reply With Quote
  #5  
Old 04-25-2005, 07:50 PM
akanevsky akanevsky is offline
 
Join Date: Apr 2005
Posts: 3,972
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yeah, I was trying to hook into vb API to pseudo post an attachment from an URL.

So, there is no safe way to upload a remote file?
Reply With Quote
  #6  
Old 04-25-2005, 08:12 PM
noppid noppid is offline
 
Join Date: Mar 2003
Location: Florida
Posts: 1,875
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dark Visor
Yeah, I was trying to hook into vb API to pseudo post an attachment from an URL.

So, there is no safe way to upload a remote file?
No, just use that curl code sample cut and paste to avoid exploits and make sure the user page does not hang. Of course you can read and tighten it up if you desire.

I would take the snippets from the API to post the attachment and do the checks on your end.

I don't know enough about all of your code to suggest more ATM, but you are close.
Reply With Quote
  #7  
Old 04-25-2005, 08:48 PM
akanevsky akanevsky is offline
 
Join Date: Apr 2005
Posts: 3,972
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hmm... I don't have much experience on the part of reading and managing files...

What kind of exploits could there be? Or is that curl snippet safe enough?

The code I posted is a slight variation of the one you can find in the vBulletin process_image_upload() function, which is used for uploading URL avatars.. However, it has no is_uploaded_file check in there, unlike in attachments.
Reply With Quote
  #8  
Old 04-25-2005, 08:52 PM
noppid noppid is offline
 
Join Date: Mar 2003
Location: Florida
Posts: 1,875
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dark Visor
Hmm... I don't have much experience on the part of reading and managing files...

What kind of exploits could there be? Or is that curl snippet safe enough?

The code I posted is a slight variation of the one you can find in the vBulletin process_image_upload() function, which is used for uploading URL avatars.. However, it has no is_uploaded_file check in there, unlike in attachments.
Things change, so will the code eventually. It's getting attention now and will be exploited eventually. But that's another subject. Following some of those links should tell you the details.

I would say the curl snippet is very safe in comparison. But that is subjective of course.

Are you pulling images? Does your code ask for a url and fetch the object on demand as opposed to an upload form?
Reply With Quote
  #9  
Old 04-26-2005, 12:49 PM
akanevsky akanevsky is offline
 
Join Date: Apr 2005
Posts: 3,972
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

No, not necessarily images.
I am trying to enchance the attachment form with an url upload instead of just upload form. So that would be any files that have an acceptable extension (defined in vb admincp)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:24 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07581 seconds
  • Memory Usage 2,254KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (9)post_thanks_box
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (9)post_thanks_postbit_info
  • (9)postbit
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete