Simple Line of code to stop Session Hijacking and Auto-Admin

[Joshua]

Ok, for all those who have been like myself, curious, i just discovered this works well

 

This will Secure your "Upload Display_Pic" form and stop users from entering code instead of a URL.

 

function pic_change() {
global $ir, $db;
$Pic = $db->query(sprintf("SELECT `display_pic` FROM `users` WHERE `userid`='%d'", $ir['userid']));
if (isset($_POST['NewPic'])) 
{
 if ($_POST['NewPic'] == '') { 
  echo 'You Did Not Enter An Image';
 } else {
  if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['NewPic'])) {
   die('Stop trying to abuse a Bug, Enter a picture format!');
  } else {
   $_POST['NewPic'] = str_replace(array("<", ">", "'", ";", ".php", ".html", ".js"), array("", "", "", "", "", "", ""), $_POST['NewPic']);
   $db->query(sprintf("UPDATE `users` SET `display_pic`='%s' WHERE `userid`='%d'", $_POST['NewPic'], $ir['userid']));
   echo 'Picture Changed';
  }
 }
}

 

I took this snippet of code

 

  if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['NewPic'])) {
   die('Stop trying to abuse a Bug, Enter a picture format!');
  } 

And I put it under

 

function gang_staff_desc2()
{
global $db,$ir,$c,$userid,$gangdata;
if($gangdata['gangPRESIDENT'] == $userid  )
{
if(isset($_POST['titlebanner']))
{

 

To ensure the file being uploaded is an image file.

I hope you can figure out how to install this and secure your site, gluck :)

[mdshare]

Where do you check if it's actually an image ???

Looks like you didn't learn from [mccode v2.x] Auto-Admin Hack.

[Joshua]

if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['NewPic'])) {
   die('Stop trying to abuse a Bug, Enter a picture format!');
  }

 

The whole if(!preg_Match statement checks if it's jpg, jpeg, gif or png

Anything else and you get a die(error)

It works, as i'm using it.

I'm new to php but I learned that much.

[mdshare]

Doesn't check, it checks if the extension is what you have whitelisted.

verifying if a img is eg

 

<?php
$imageinfo = getimagesize($_FILES['uploadfile']['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && isset($imageinfo))
{
echo 'Sorry, we only accept GIF and JPEG images';
exit(0);
}
?>

 

Verifying extension , which doesn't check if it really is a image !!!

 

<?php
$filename = strtolower($_FILES['uploadfile']['name']);
$whitelist = array('jpg', 'png', 'gif', 'jpeg'); #example of white list
$blacklist = array('php', 'php3', 'php4', 'phtml','exe'); #example of black list
if(!in_array(end(explode('.', $fileName)), $whitelist))
{
echo 'Invalid file type';
exit(0);
}
if(in_array(end(explode('.', $fileName)), $blacklist))
{
echo 'Invalid file type';
exit(0);
}

 

You could also secure the upload folder (where you store the images) so that no scripts can be executed from there through htaccess

 

AddHandler cgi-script .php .php3 .php4 .php5 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi 
Options -ExecCGI

[Joshua]

Problem with yours and myself,

I'm a trial and error coder right now.

I insert code, see if it works if it doesnt i mess with it some more, until it does.

 

Yours is completely new to me and I would have to basically start the trial from scratch ><

 

Mine works, though it's not the same as yours, if they enter something other than what I've defined it won't load it. IE--it stops them from doing the session hack.

Yours is def better, but I know how to install mine :P

[mdshare]

I'm trying to help you Immortalthug, don't see it as an attack. And I'm just like you trial/error and cursing more than once my PC (should be me instead of the PC) if something doesn't do what I want to do it.

Anyway, What you did was not securing your game against any attack, you simply checked on the file extension. And that doesn't tell you if the file is actually a image or not it could still be malicious...

[Curt]

nice, ill try mdshare's method thanks for this post :)

[Joshua]

Aye, if you understand coding better than I do, i'd suggest MD's method

Mine basically just checks to see if .jpg .jpeg .gif .png is on the end of the file extension

[mj12]

Since php code can be run from almost anywhere both of the methods mdshare posted are really good and recommended by http://www.scanit.be/

[a_bertrand]

Trying to read the image size as MD made is nice, also because you could reject images due to their size. Another approach is to check the file signature which is at the beginning of the files like a gif need to start with "GIF89a" and a PNG starts with "‰PNG"

[vampireduff]

mdshare, I'm still learning PHP and would like to use your code, but where would I add it in my files? I know I would add it to any file that I would have that uploads a pic, but where abouts?

[mdshare]

Trying to read the image size as MD made is nice, also because you could reject images due to their size. Another approach is to check the file signature which is at the beginning of the files like a gif need to start with "GIF89a" and a PNG starts with "‰PNG"

Ah didn't think on that, but I believe that the getimagesize() function should be more than enough as it comes from the same data and it gives you additional power, no clue why a gif, jp, png should be excluded when the image width/height is known or I'm missing again something ....

[mdshare]

mdshare, I'm still learning PHP and would like to use your code, but where would I add it in my files? I know I would add it to any file that I would have that uploads a pic, but where abouts?

It isn't my code it's just some examples on a single function available with php, it all depends where to use it in what script , just read on the following and play with it and it shouldn't be difficult at all to implement it on your scripts ----> getimagesize()

[Djkanna]

Okay I didn't understand this that well but I think I've got it < I think :)

function do_pic_change()
{
 global  $db, $h, $userid;
 $image = getimagesize("".$_POST['newpic']."");
 if($_POST['newpic'] == "")
 {
    echo "Sorry it seems like you haven't inputed anything please go back and try again.

    [url='preferences.php?action=picchange']Back[/url]";
 }
 elseif(!$image)
 {
	echo "Um yeah you didn't actually think that would work did you?";
 }
 else
 {
	$db->query(sprintf("UPDATE users SET display_pic='%s' WHERE(userid=%u)", $db->escape($_POST['newpic']), $userid));
	echo "Display picture has been changed";
	$h->endpage();
	exit;
 }

}

It doesn't seem to allow anything but a image file so I think that's a good start to defeating the Admin Hi-Jack. :)

Thanks

DJK

[Joshua]

I have something i found on another forums that appears to work as well, but I will stick yours in and see if it does the trick also :-)

[bluegman991]

so i was just seeing if it would work and to my observance it does what i did is make it so it checks if it is an image in the preferences page by using this

the only thing is it has to be a valid url or u will get 1 of these mysql errors

Warning:  getimagesize(degfedsg) [function.getimagesize]: failed to open stream: No such file or directory in /home/*******/public_html/account.php on line 38

 

Warning:  getimagesize() [function.getimagesize]: Couldn't resolve host name in /home/******/public_html/account.php on line 38



Warning:  getimagesize(http://) [function.getimagesize]: failed to open stream: operation failed in /home/*****/public_html/account.php on line 38

 

$imageinfo = getimagesize($_POST['newpic']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg' && $imageinfo['mime'] != 'image/JPG' && $imageinfo['mime'] != 'image/png' && $imageinfo['mime'] != 'image/ico' && $imageinfo['mime'] != 'image/bmp' && isset($imageinfo))
{
echo "Sorry, we only accept GIF, JPEG, PNG, JPG, ICO, and BMP images!
\n";
$h->endpage();
}

 

lol i didnt observe closely enough we get the echo but it still updates

[bluegman991]

$imageinfo = getimagesize($_POST['newpic']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg' && $imageinfo['mime'] != 'image/JPG' && $imageinfo['mime'] != 'image/png' && $imageinfo['mime'] != 'image/ico' && $imageinfo['mime'] != 'image/bmp' && isset($imageinfo))
{
$_POST['newpic'] = "images/defaultpic.png";
}

 

ok i got it doing what i want it to do but i still get those errors is there something i am not doing right making the errors show or is there a way i can not show the errors

but they only show if an invalid target is posted or it is not an actual gif jpg JPG jpeg ico bmp image

[Joshua]

$imageinfo = getimagesize($_POST['newpic']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg' && $imageinfo['mime'] != 'image/JPG' && $imageinfo['mime'] != 'image/png' && $imageinfo['mime'] != 'image/ico' && $imageinfo['mime'] != 'image/bmp' && isset($imageinfo))
{
print "Sorry, We only accept Images.";
}
else
{
$_POST['newpic'] = "images/defaultpic.png";
}

 

Something along those lines perhaps?

Your making a call that if the images != to but you aren't telling it what to do if they aren't.

[bluegman991]

imortal what that code does is it only says thats its not an image if its not but if it is an image it changes it to the default pic so i deleted the else and it did what is was suppose to do but still when the target wasnt valid i got those errors

is there something i can do to hide those errors?

[Joshua]

Yea, as I said.

Though my coding may not be 100% accurate

You are telling it to check if it's an image, and if it is post a pic.

However, if it ISNT an error you arent telling it what to do

You need to come up with an if or else statement telling it what to do if it's not a picture and if it is a picture.

I have a secured preferances posted up in the regular section of mccodes,(not the mods section) perhaps look at that one as it works :-)

[bluegman991]

nope i have the else statement. i believe it is something else look at the error

Warning: getimagesize() [function.getimagesize]: Couldn't resolve host name in /home/*****/public_html/account.php on line 38

Warning: getimagesize(http://masdfvs) [function.getimagesize]: failed to open stream: operation failed in /home/mafiagan/public_html/account.php on line 38

Warning: getimagesize(http://www.******.net/city) [function.getimagesize]: could not make seekable - http://www.***.net/city in /home/****/public_html/account.php on line 38

Warning: getimagesize(rsdfvesf) [function.getimagesize]: failed to open stream: No such file or directory in /home/******/public_html/account.php on line 38

can someone help me either hide this error or make an add on to this mod

[mccode v2.x] User Settings [mod] that stops the admin hack

[Djkanna]

Not the best way but I think you could turn off error_reporting

Like as getimagesize generates a E_WARNING; try adding this to preferences under include "globals.php";

error_reporting(E_ALL ^ E_WARNING);

If that doesn't work you could just try turning off all errors within in preferences

error_reporting(0);

See if that works try the first one first, use the second one as a last resort (Cannot say if either will work as I've not tested it.)

Or try figure out a way round doing this.

DJK.

[a_bertrand]

adding an @ in front of the function which produce the warning will removes it:

$file=@fopen("blabla","r");

I would use that instead of disabling the error reporting.

[Guest Null]

.

Isnt it possible to bind a php file with a img? If it is that would suck. Sorry im a little new to methods of coding but i learn quick :)

[Zero-Affect]

it's possible to edit /htaccess to replace .jpg with .php so actually linking a image when submitting but then switching it later to enable a php file - i remember lost one saying about this.