Sanitize issues i think

Posted by rumrunner439, 09-22-2008, 12:22 AM
Ok Im over having to rename everything in my computer because a song in the hard drive is listed as 1 train Well it sees the space and it wont upload it no member will understand that or if its in deep in the computer like c:/mydocuments/mymusic/group/albumname/song its in way to deep for my site to let it upload or if you add a song with a word with a ' in it. I think my script thinks its trying to be mysql injected so it rejects it how can i fix this ? Heres My upload.php code HELP lol Name of song F:\08 Feel It.mp3 and error was Sorry,uploading files in this format is not allowed.Please Ensure Your file names follow this format. 1.Entire file cannot exceed 60 charactoers 2.format should be filename.extension or filename 3.legal charactoers are 1-9,a-z,A-Z,'_','-' Which is rediculous to rename everything no member will do this,so how can i fix it and make it easier to upload ? ERROR: Can't open $paramFileName"); while(!feof($fh)){ $buffer = fgets($fh, 4096); list($key, $value) = explode('=', trim($buffer)); $value = str_replace("~EQLS~", "=", $value); $value = str_replace("~NWLN~", "\r\n", $value); if(isset($key) && isset($value) && strlen($key) > 0 && strlen($value) > 0){ if(preg_match('/(.*)\[(.*)\]/i', $key, $match)){ $param_array[$match[1]][$match[2]] = $value; } else{ $param_array[$key] = $value; } } } fclose($fh); if(isset($param_array['delete_param_file']) && $param_array['delete_param_file'] == 1){ for($i = 0; $i < 5; $i++){ if(unlink($paramFileName)){ break; } else{ sleep(1); } } } return $param_array; } STemplate::assign('tmp_sid', $tmp_sid); STemplate::assign('disallow_extensions', $disallow_extensions); STemplate::assign('allow_extensions', $allow_extensions); STemplate::assign('path_to_ini_status_script', $path_to_ini_status_script); STemplate::assign('check_file_name_format', $check_file_name_format); STemplate::assign('check_disallow_extensions', $check_disallow_extensions); STemplate::assign('check_allow_extensions', $check_allow_extensions); STemplate::assign('check_null_file_count', $check_null_file_count); STemplate::assign('check_duplicate_file_count', $check_duplicate_file_count); STemplate::assign('max_upload_slots', $max_upload_slots); STemplate::assign('progress_bar_width', $progress_bar_width); STemplate::assign('path_to_upload_script', $path_to_upload_script); STemplate::assign('multi_upload_slots', $multi_upload_slots); if($_REQUEST[action_upload]!="") { if(strlen($_REQUEST[field_myvideo_title]) < 3) $err = "Upload: Please provide a video title with minimum 3 characters."; elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ!?\_\-\.]/", $_REQUEST[field_myvideo_title])) $err = "Upload: Unallowed characters in video title."; elseif(strlen($_REQUEST[field_myvideo_descr]) < 3) $err = "Upload: Please provide a description with min of 3 characters."; elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ\!\?\_\-\.]/", $_REQUEST[field_myvideo_descr])) $err = "Upload: Unallowed characters in description."; elseif(strlen($_REQUEST[field_myvideo_keywords]) < 1) $err = "Upload: Please provide tag(s)."; elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ\-]/", $_REQUEST[field_myvideo_keywords])) $err = "Upload: Tags should be seperated only by spaces"; elseif(count($_REQUEST[chlist])<1 || count($_REQUEST[chlist])>3) $err="Upload: Please check (1 to 3) channel(s)."; if($err==""){ $page = "second"; STemplate::assign('secondpage',"second"); $listch=implode("|",$_REQUEST[chlist]); STemplate::assign('listch',$listch); $var = ""; STemplate::assign("var", $var); } } if(isset($_GET['rnd_id'])) { STemplate::assign('upload_page', 'upload'); $temp_dir = $_REQUEST['temp_dir']; $_POST_DATA = getPostData($temp_dir, $_REQUEST['tmp_sid']); $upload_dir = $_POST_DATA['upload_dir']; $upload_file = $_POST_DATA['upfile_0']; $upload_file_path = $upload_dir . $upload_file; if(!is_file($upload_file_path) || filesize($upload_file_path) < 0) { $err = 'Failed to upload selected file!'; } $upload_file_size = filesize($uploaded_file_path); if($err == "") { $pos = strrpos($upload_file,"."); $ph = strtolower(substr($upload_file,$pos+1,strlen($upload_file)-$pos)); $space = round($upload_file_size/(1024*1024)); if($config['enable_package']=="yes") { check_subscriber($space); } //this should never happen if(($ph!="3gp" && $ph!="mp4" && $ph!="mov" && $ph!="asf" && $ph!="flv" && $ph!="mpg" && $ph!="avi" && $ph!="mpeg" && $ph!="wmv" && $ph!="rm" && $ph!="dat") || $space>$config[max_video_size]) $err = 'Invalid video format or invalid video size!'; } if($err == "") { if($config['enable_video']=="no") { $appr = 'yes'; } elseif($config['enable_video']=="yes") { $appr = 'no'; } $sql="insert into video set UID=$_SESSION[UID], title='$_POST_DATA[field_myvideo_title]', description='$_POST_DATA[field_myvideo_descr]', keyword='$_POST_DATA[field_myvideo_keywords]', channel='0|$_POST_DATA[listch]|0', space = '$space', addtime='".time()."', adddate='".date("Y-m-d")."', vkey='".mt_rand()."', type='$_POST_DATA[field_privacy]', filehome='$_POST_DATA[p]', approve='$appr'"; $conn->execute($sql); $vid=mysql_insert_id(); $vdoname=$vid.".".$ph; $ff = $config['vdodir'].'/'.$vdoname; //rename uploaded file if(rename($upload_file_path,$ff)) { exec("$config[mencoder] $config[vdodir]/$vdoname -o $config[flvdodir]/".$vid.".flv -of lavf -oac mp3lame -lameopts abr:br=56 -ovc lavc -lavcopts vcodec=flv:vbitrate=9600:mbd=2:mv0:trell:v4mv:cbp:last_pred=3 -ofps 12 -srate 22050"); //exec("$config[mencoder] $config[vdodir]/$vdoname -o $config[flvdodir]/".$vid.".flv -of lavf -oac mp3lame -lameopts abr:br=56 -ovc lavc -lavcopts vcodec=flv:vbitrate=9600:mbd=2:mv0:trell:v4mv:cbp:last_pred=3 -lavfopts i_certify_that_my_video_stream_does_not_use_b_frames -srate 22050"); video_to_frame($ff, $vid); exec("/usr/bin/flvtool2 -UP ". $config[flvdodir]."/".$vid.".flv"); //get duration exec("$config[mplayer] -vo null -ao null -frames 0 -identify $config[vdodir]/$vdoname", $p); while(list($k,$v)=each($p)) { if($length=strstr($v,'ID_LENGTH=')) break; } $lx = explode("=",$length); $duration = $lx[1]; } else { $err = 'Failed to rename uploaded file!'; } } if($err == "") { $key=substr(md5($vid),11,20); //send_subscribed_mail($_SESSION[UID],'$key',$_SESSION[EMAIL]); $sql="update video set vdoname='$vdoname', flvdoname='".$vid.".flv', duration='$duration', vkey='$key' WHERE VID=$vid"; $conn->execute($sql); if($config['enable_package']=="yes") { $sql = "update subscriber set used_space=used_space+$space, used_bw=used_bw+$space, total_video=total_video+1 where UID=$_SESSION[UID]"; $conn->execute($sql); } header("Location:$config[baseurl]/upload_success.php?viewkey=$key&upload=yes"); } } if($_POST[embed_final]!="") { if($_REQUEST[field_embed_code]=="") $err="Please provide the embed code."; if($_FILES['field_uploadthumb']['tmp_name']=="") $err="Please provide the thumbnail image."; if($err=="" && $_FILES['field_uploadthumb']['tmp_name']!="") { $p=$_FILES['field_uploadthumb']['name']; $pos=strrpos($p,"."); $ph=strtolower(substr($p,$pos+1,strlen($p)-$pos)); /* Space in Megabytes (MB) */ $space = round($_FILES['field_uploadfile']['size']/(1024*1024)); if($config['enable_package']=="yes") { check_subscriber($space); } if(($ph!="jpg") || $space>$config[max_video_size]) $err="Invalid Image Format."; } if($err=="") { if($config['enable_video']=="no") { $appr = 'yes'; } elseif($config['enable_video']=="yes") { $appr = 'no'; } $sql="insert into video set UID=$_SESSION[UID], title='$_REQUEST[field_myvideo_title]', description='$_REQUEST[field_myvideo_descr]', keyword='$_REQUEST[field_myvideo_keywords]', channel='0|$_REQUEST[listch]|0', space = '$space', filetype = 'E', embed_code = '$_REQUEST[field_embed_code]', embed = '', approve='$appr', addtime='".time()."', adddate='".date("Y-m-d")."', vkey='".mt_rand()."', type='$_REQUEST[field_privacy]', filehome='$_REQUEST[p]'"; $conn->execute($sql); $vid=mysql_insert_id(); $vdoname=$vid.".".$ph; if(isset($_FILES['field_uploadthumb']['tmp_name']) && is_uploaded_file($_FILES['field_uploadthumb']['tmp_name'])) { $ff = $config[tmbdir]."/1_".$vdoname; move_uploaded_file($_FILES['field_uploadthumb']['tmp_name'], $ff); $file = $config[tmbdir]."/1_".$vdoname; $newfile = $config[tmbdir]."/2_".$vdoname; $newfile2 = $config[tmbdir]."/3_".$vdoname; copy($file, $newfile); copy($file, $newfile2); } //END $key=substr(md5($vid),11,20); send_subscribed_mail($_SESSION[UID],'$key',$_SESSION[EMAIL]); $sql="update video set vdoname='', flvdoname='', duration='0', vkey='$key' WHERE VID=$vid"; $conn->execute($sql); if($config['enable_package']=="yes") { $sql = "update subscriber set used_space=used_space+$space, used_bw=used_bw+$space, total_video=total_video+1 where UID=$_SESSION[UID]"; $conn->execute($sql); } header("Location:$config[baseurl]/upload_success.php?viewkey=$key&upload=yes"); } } STemplate::assign('err',$err); STemplate::assign('msg',$msg); STemplate::assign('upload_page', 'upload'); STemplate::assign('menu_active', 'upload'); STemplate::assign('head_bottom',"blank.tpl"); STemplate::display('head1.tpl'); STemplate::display('err_msg.tpl'); if ($_REQUEST[action] == "select") { STemplate::display('uploadselect.tpl'); } else { STemplate::display('upload.tpl'); } STemplate::display('footer.tpl'); ?>
Posted by Tim Greer, 09-22-2008, 02:03 AM
I didn't see the specific check for this in the code above, but there's a lot of code posted. Can you please simply post the actual relevant code portions and leave out the rest so it's easier to follow? Anyway, if you bypass this (because it's more than just an SQL injection issue that can be caused by bypassing this check) then you'll need to add some additional checks to ensure that the upload section remains secure with the new allowances. Hopefully, it just rejects everything by default and only allows what it knows to be safe (from a conditional standpoint).
Posted by WebNaz, 09-22-2008, 10:17 AM
Probably it will work if you comment out STemplate::assign('check_file_name_format', $check_file_name_format); but as Tim Greer said
Posted by rumrunner439, 09-22-2008, 10:56 AM
Ok i removed STemplate::assign('check_file_name_format', $check_file_name_format); But got the same error Sorry,uploading files in this format is not allowed.Please Ensure Your file names follow this format. 1.Entire file cannot exceed 60 charactoers 2.format should be filename.extension or filename 3.legal charactoers are 1-9,a-z,A-Z,'_','-' Im thinking it due to the code below,so how do i get it to allow a space in the name of the song the same it would be on your computer for songs. And How would i add a additional check? I got hacked on the main site and I got that fixed by help on here, it wasnt sanitized right,and now i got that fixed if i can get this issue fixed ill be alot happier its a pain in the butt renaming everything ive had to do it on all 800 songs ive uploaded!! Thanks everyone for the help if($_REQUEST[action_upload]!="") { if(strlen($_REQUEST[field_myvideo_title]) < 3) $err = "Upload: Please provide a video title with minimum 3 characters."; elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ!?\_\-\.]/", $_REQUEST[field_myvideo_title])) $err = "Upload: Unallowed characters in video title."; elseif(strlen($_REQUEST[field_myvideo_descr]) < 3) $err = "Upload: Please provide a description with min of 3 characters."; elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ\!\?\_\-\.]/", $_REQUEST[field_myvideo_descr])) $err = "Upload: Unallowed characters in description."; elseif(strlen($_REQUEST[field_myvideo_keywords]) < 1) $err = "Upload: Please provide tag(s)."; elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ\-]/", $_REQUEST[field_myvideo_keywords])) $err = "Upload: Tags should be seperated only by spaces"; elseif(count($_REQUEST[chlist])<1 || count($_REQUEST[chlist])>3) $err="Upload: Please check (1 to 3) channel(s).";
Posted by rumrunner439, 09-22-2008, 11:03 AM
Oh And Tim My luck its not going to reject everything by default this was a alstrasoft script and ive had to fix everything myself and then fix or add as i go. My other script i had to sanitize myself because it got hacked so im fixing the video script now. Thanks For looking im still learning code
Posted by WebNaz, 09-22-2008, 11:18 AM
Sorry your only option is what Tim said. "post the actual relevant code portions" Go through the scripts and try to find the error code "Entire file cannot exceed 60 charactoers....legal characters are" and see which function triggers this error.
Posted by rumrunner439, 09-22-2008, 01:14 PM
ok i found that code before because it was set to 32 characters and i up'd it to 60 so ill go back and look thru the code for the other trigger and ill post it thanks
Posted by rumrunner439, 09-22-2008, 01:24 PM
i found this code in uu_file_upload.php