Is it possible to convert this to RN2.20.01? Please.. :)

blith · Posted: Wed Jul 02, 2008 7:53 am

Thank you for looking. I would really like to see if this can work with RN2.20.01. I would like a secure upload module for my site. Thank you for looking. Some of it is in Italian....

Code:

/************************************************************************/
//
// EASYUP-NUKE
//
// module created by HI-Lab based on EasyUp of Amine Ouelhadj *
// Copyright (c) 2002 by cooperativa sociale l'Utopia a r.l.
// released under GPL licence
//
//

Only registered users can see links on this board!
Get registered or login to the forums!

//
/***************************************************************************/

//
// upload html form
//

if (!eregi("modules.php", $PHP_SELF)) {
die ("Non puoi accedere a questo file direttamente...");
}
require_once("mainfile.php");
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
$pagetitle = "- "._TITLEASYUP."";

global $user, $cookie, $prefix, $dbi, $user_prefix;
include ("header.php");
title("<img src='modules/Easyup/EASYUP-NUKE.jpg' width='248' height='123' alt='logo EASYUP-NUKE'>");
OpenTable();
echo "<center><font class=\"content\"><b>"._TITLEASYUP."</b></font></center><br><br>"
. "<i>"._INSTRUCTIONEASYUP."</i><br>"
."<form ENCTYPE=\"multipart/form-data\" action=\"modules.php?mop=modload&name=Easyup&file=index\" method=\"post\">"
._FILETYPE.":<br><SELECT name=\"percorso\" title=\"Tipo di file\">\n"
."<OPTION value=\"1\">"._FILETODISPLAY."</OPTION>\n"
."<OPTION value=\"2\">"._FILETODOWN."</OPTION></SELECT><br><br>\n"
._FILEPOSITION.":<br><input name=\"nomfichier\" type=\"file\" size=\"30\"><br><br>\n"
._ALTTAG.":<br><input name=\"alt\" type=\"text\" size=\"30\" maxlength=\"40\"><br><br>\n"
._BGCOLORSWF.":<br># <input name=\"bgcolorswf\" type=\"text\" size=\"6\" maxlength=\"6\"><br><br>\n"
."<input type=\"submit\" name=\"Submit\" value=\""._SEND."\">\n"
."</form><br>\n";

//----------------------------------------------------------------
// upload engine
//----------------------------------------------------------------

// parameters

// choose directory of upload files
$imagesdir="images/upload";
$downloaddir="images/materiali";
// Allow or not executable files adding an extension - yes="si" no="no"
$execution = "no";
// Allow or not upload of index files - yes="si" no="no"
$index_autorisation = "no";

$alertdimension=array(
// Alert dimension for images files in Kb integer
img=>150,
// Alert dimension for swf files in Kb integer
swf=>150,
// Alert dimension for other files in Kb integer
other=>500
);

// check folder permissions
function checkperms($dir)
{
$permsdir=decoct(fileperms($dir));
$perms=substr("$permsdir",-3);
if ($perms!="777")
{
echo "<div align=\"center\"><font color=\"#cc0000\"><h3>"._ERRORPERM." "$dir" "._ERRORPERM2."<br>"
._PERMISSION." $perms. "._PERMISSION2."</h3></font></div><br>";
}
}

checkperms($imagesdir);
checkperms($downloaddir);

switch ($percorso)
{
case "1":
$chemin=$imagesdir;
break;
case "2":
$chemin=$downloaddir;
break;
}

$testotoobig=array(_TOOBIG,_TOOBIG1,_TOOBIG2,_TOOBIG3,_TOOBIG4,_TOOBIG5);

$nom_fichier_name = strtolower($nomfichier_name);

// check extension of file

function check_extension($nomfichier_name)
{
$extension = end(explode(".", $nomfichier_name));
if ($extension == "php" || $extension == "php3" || $extension == "php4" || $extension == "pl" || $extension == "phtml" || $extension == "asp" || $extension == "cgi")
{
return true;
}
}

// Verifie si le nom ne se nomme pas index.extension

function verif_index($nomfichier_name)
{
$pointeur = strrpos($nomfichier_name, ".");
$nom = substr($nomfichier_name, 0, $pointeur);
if (ereg ("^index$", $nom)) return true;
}

// Verifie si le fichier existe sur le serveur.
function presence_file($nomfichier_name)
{
global $chemin;
if (file_exists("$chemin/$nomfichier_name")) return true;
}

// Calculate dimensions of files and print alert message
function dimensionefiles($chemin,$nomfichier_name,$testotoobig1,$testotoobig2,$max)
{
$dimensione=filesize("$chemin/$nomfichier_name");
$fdimensione=number_format($dimensione, 0, ',', '.');
$kdimensione=number_format(($dimensione/1024), 1, ',', '.');
$mdimensione=number_format(($kdimensione/1024), 1, ',', '.');
if ($dimensione<=1023)
{
echo "<center>"._FILEIS." $dimensione "._BYTES.".</center><br>";
}
elseif (($dimensione>1023)&&($dimensione<=1048575))
{
echo "<center>"._FILEIS." $kdimensione Kb ($fdimensione "._BYTES.").</center><br>";
if ($kdimensione>$max) {echo "<center><font color=\"#ff0000\"><h3>$testotoobig1</h3></font>$testotoobig2</center><br><br>";}
}
elseif (($dimensione>1048575))
{
echo "<center>"._FILEIS." $mdimensione Mb ($fdimensione "._BYTES.").<br>"
."<font color=\"#ff0000\"><h3>$testotoobig1</h3></font>$testotoobig2</center><br><br>";
}
}

// Calculate dimensions of image and print related html tag
function imagetag($chemin,$nomfichier_name,$alt)
{
global $testotoobig,$alertdimension;
$misura=getimagesize("$chemin/$nomfichier_name");
$htmlimgstring="<img src=\"$chemin/$nomfichier_name\" alt=\"$alt\" ".$misura[3].">";
echo "<center><h2>"._TITLETAG."</h2>\n".
"<i>"._INSTRUCTIONTAG." "._IMAGE.". "._INSTRUCTIONTAG2."</i><br>\n";
echo "<font color=\"#000066\"><h2><blockquote><img src=\"$chemin/$nomfichier_name\" alt=\"$alt\" ".$misura[3]."></h2></font></center><br><br>";
echo "<center><h2>"._TITLEDIMENSION."</h2></center><br>\n";
dimensionefiles($chemin,$nomfichier_name,$testotoobig[0],$testotoobig[1],$alertdimension[img]);
echo "<center><h2><br>"._PREVIEW."</h2>\n".
"<i>"._SUBPREVIEW." "._IMAGE." "._SUBPREVIEW2."</i>:<br><br>\n";
echo "".$htmlimgstring."</center>";

}

// Calculate dimensions of swf file and print related html tag
function swftag ($chemin,$nomfichier_name,$alt,$bgcolorswf)
{
global $testotoobig,$alertdimension;
$misura=getimagesize("$chemin/$nomfichier_name");
$htmlswfstring="<embed ALT=\"$alt\" src=\"$chemin/$nomfichier_name\" quality=high bgcolor=\"#$bgcolorswf\" ".$misura[3]." type=\"application/x-shockwave-flash\" pluginspage=\"http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash\">";
echo "<center><h2>"._TITLETAG."</h2>\n".
"<i>"._INSTRUCTIONTAG." "._MOVIE.". "._INSTRUCTIONTAG2."</i><br>\n";
echo "<font color=\"#000066\"><h2><blockquote><embed ALT=\"$alt\" src=\"$chemin/$nomfichier_name\" quality=high bgcolor=\"#$bgcolorswf\" ".$misura[3]." type=\"application/x-shockwave-flash\" pluginspage=\"http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash\"></h2></font></center><br><br>";
echo "<center><h2>"._TITLEDIMENSION."</h2></center><br>\n";
dimensionefiles($chemin,$nomfichier_name,$testotoobig[2],$testotoobig[3],$alertdimension[swf]);
echo "<center><h2><br>"._PREVIEW."</h2>\n".
"<i>"._SUBPREVIEW." "._MOVIE." "._SUBPREVIEW2."</i>:<br><br>\n";
echo "".$htmlswfstring."</center>";
}

// Check dimension of file and print alert message
function otherfiles ($chemin,$nomfichier_name)
{
global $testotoobig,$alertdimension,$nukeurl;
echo "<center><h2>"._TITLEDIMENSION."</h2></center><br>\n";
dimensionefiles($chemin,$nomfichier_name,$testotoobig[4],$testotoobig[5],$alertdimension[other]);
echo "<center><h2>"._TITLEDOWNLOAD."</h2></center><br>\n";
echo "<center>"._INSTRUCTIONDOWN."</center><br>".
_FILEURL.": <font color=\"#000066\">$nukeurl/$chemin/$nomfichier_name</font><br>\n";
$dimensione=filesize("$chemin/$nomfichier_name");
echo ""._FILESIZE.": <font color=\"#000066\">$dimensione</font> "._BYTES."<br>\n";
echo ""._HOMEPAGE.": <font color=\"#000066\">$nukeurl</font><br>";
}

// Chmod le fichier pour en 644 pour le rendre non executable.
function chmod_no_execution($nomfichier_name)
{
global $chemin;
chmod ("$chemin/$nomfichier_name", 0644);
}

if ($nomfichier!="")
{

if ($index_autorisation == "no")
{
if (verif_index($nomfichier_name)) {
echo "<hr>";
echo ""._ERROR." 02: "._YOURFILE." "$nomfichier_name" "._REFUSE."<br>";
echo "<hr>";
exit;
}
}
if ($execution == "no"){
if(check_extension($nomfichier_name)){
$nomfichier_name = "$nomfichier_name.txt";
}
}

if (presence_file($nomfichier_name) == "true") {
echo "<hr>";
echo ""._ERROR." 01: "._YOURFILE." $nomfichier_name "._EXIST."<br>";
echo "<hr>";
exit;
}

if (copy($nomfichier, "$chemin/$nomfichier_name"))
{
echo ""._YOURFILE." $nomfichier_name "._SUCCESS."<br><p>\n";

// check file type
$imgextension = end(explode(".", $nomfichier_name));
switch ($imgextension)
{
case ("swf"):
swftag($chemin,$nomfichier_name,$alt,$bgcolorswf);
break;
case ("gif"):
imagetag($chemin,$nomfichier_name,$alt);
break;
case ("jpg"):
imagetag($chemin,$nomfichier_name,$alt);
break;
case ("png"):
imagetag($chemin,$nomfichier_name,$alt);
break;
default:
otherfiles($chemin,$nomfichier_name);
}

chmod_no_execution($nomfichier_name);
}
else
{
//echo ""._ERRORPERM."<br>";
//echo ""._PERMISSION."<p>";
//exit;
}

}

echo "<p align=\"right\"><A href=\"http://www.hi-lab.net\"><img src='modules/Easyup/hilab.gif' width='70' height='30' alt='HI-Lab - The Social Technology'></A><p>";
CloseTable();
include ("footer.php");

?>

kguske · Site Admin Joined: Jun 04, 2004 Posts: 4844

Hi blith. Have you tried it with RN? I'm assuming it's a module, though it appears to use some specific functions that might need to be added to mainfile (or to this file).

blith · Posted: Wed Jul 02, 2008 10:30 am

Hello, I have not tried it with RN, I was worried about the security of it, not the uploading part but the coding, since the wording is different at the opening if statement. Does the code look secure? I will try and install it and see what happens. Thanks!

blith · Posted: Wed Jul 02, 2008 10:44 am

Well I have tried it and I keep getting the error.

ERROR 01: The file already exist on the server!

which it doesn't, I tried to upload a zip file and a bmp. I am looking a the code to see what went wrong.

blith · Posted: Wed Jul 02, 2008 11:10 am

Here is the line that pertains to the file existing.

Code:

function presence_file($nomfichier_name)
{
global $chemin;
if (file_exists("$chemin/$nomfichier_name")) return true;

but the file did not exist

kguske · Site Admin Joined: Jun 04, 2004 Posts: 4844

That function should return a false if the file doesn't exist, but I'm not sure that is the problem.

Why not add a line after the global $chemin:

Code:

die('$chemin = '.$chemin.'<br />$nomfichier_name = '.$nomfichier_name);

That will at least tell you what it's checking for and may shed some light on the issue.

As for this being secure - I'd be wary of allowing users to upload anything, unless it's very limited. I did not something alarming: the $user variable is referenced - but it isn't used to prevent random people (i.e. non-members) from uploading files. IMO, that's not good...

blith · Posted: Wed Jul 02, 2008 11:54 am

kguske wrote:

That function should return a false if the file doesn't exist, but I'm not sure that is the problem.

Why not add a line after the global $chemin:

Code:

die('$chemin = '.$chemin.'<br />$nomfichier_name = '.$nomfichier_name);

That will at least tell you what it's checking for and may shed some light on the issue.

As for this being secure - I'd be wary of allowing users to upload anything, unless it's very limited. I did not something alarming: the $user variable is referenced - but it isn't used to prevent random people (i.e. non-members) from uploading files. IMO, that's not good...

Got returned:

Code:

$chemin = images/materiali
$nomfichier_name =

So it is not finding a file, just not uploading. Additionally, it does not allow any php or .exe extensions.... you could limit any extensions I suppose. My main reason for posting it here is to see if it could be RavenNuked. i.e. made more safe by someone who knows the RN code. Smile

blith · Posted: Wed Jul 02, 2008 1:12 pm

Nevermind all this. NSN GR downloads 750 pl2 does everything I need... Thanks!

kguske · Site Admin Joined: Jun 04, 2004 Posts: 4844

Actually, since the file is blank / empty, it does find a file (the directory).

You should definitely not allow php or exe files, especially since it's in an accessible directory.

Not sure why the file name is blank, or why RN would impact that.

kguske · Site Admin Joined: Jun 04, 2004 Posts: 4844

Sorry - glad you resolved it.