phpfreek
Nov 6 2006, 08:45 AM
| | Hello;
If you are running a website that offers free image hosting, than this is for you !
If the image hosting script you are using is a bit poor, hackers can use this to upload their "php shell" and be able to do modifications to your site !!!
You might say this wouldn't happen to you ! ... but it happened with me ...
My website is mostly a familly web-site, so all my familly checks it, and when the hackers acted ... i got humiliated  ... they put "inapropriate pages" on my site ...
I had to delete everything they put, and disable the image hosting service, but all this after i got humiliated ... so watch out guys !! |
Reply
brandice
Nov 6 2006, 03:04 PM
What was the hosting script that you used? Just so we know what to look out for...
Reply
Rap_Speedy
Nov 25 2006, 03:34 PM
that could happen but if youre upload script only allows pictures... its a slighter less chance to have that. 
Reply
shadowx
Nov 25 2006, 06:11 PM
QUOTE that could happen but if youre upload script only allows pictures... its a slighter less chance to have that. less likely yes, but not impossible. There is a way to get php to execute within an image as some signatures you see do, the ones which display your IP, OS etc... the only way i know of doing this is to write the php code yourself and specify an image document type but im sure there is an exploit somewhere which will allow such images to be uploaded. As a rule i wouldnt normally allow people to upload their own images just because its risky in what they might upload, including illegal images and codes etc... It might be an idea to try to add a feature to let people specify a URL to an image already hosted and to have them uplaod these images on some other professional image host. Might defeat the point tho!
Reply
garbage
Nov 27 2006, 03:06 PM
well sorry to hear about that but I hope for those who are running image hosting sites please beware..
Reply
apacheNewbie
Nov 28 2006, 05:51 AM
I think there is a procedure in PHP to make sure that the input would not be parsed as PHP script. The same thing which is used to prevent SQL injection
Reply
Kioku
Dec 23 2006, 05:09 AM
If I recall correctly, Image Shack used to have a vulnerability to something like this and some forms of spyware were actually trying to slip their way in, along with the image upload. Eventually, they had something scripted in that blocks anybody who has cool web search and the like from uploading anything.
Reply
daler
Dec 25 2006, 07:44 AM
I wrote a upload script in PHP a few years ago that allowed users to upload jpg/gif images. The 3 important things that must be in an upload script are: 1. Check the file's name (in my case ensure it's a .jpg or .gif and not a anything else) 2. Check the file's CONTENT-TYPE 3. Set the permissions of the file so that it isn't allowed to be "executed" (read/write only) Also, I dynamically renamed the files so that: 1. Overwriting existing files of the same name wouldn't be a problem 2. More secure: if the above methods failed, at least the file would have an arbitrary name of randomname.jpg instead of something like index.gif.php Finally, be careful about allowing users to upload files into a directory visible from the web.
Reply
-[Nero]-
Jan 10 2007, 03:21 AM
Mind telling us which picture hosting website you used? Please let me know so that I can set a rules in my forum to prevent any damage from occuring.
Reply
FLaKes
Jan 10 2007, 08:52 AM
He didnt use a website, he used a script for his own image uploading website. There are so many image hosting websites out there, that I wouldnt really bother into makin my own though. It would be good for practice, but unless you have bandwidth and your own server it could be fun.
Reply
Galahad
Sep 7 2007, 10:33 PM
QUOTE(jlhaslip @ Sep 6 2007, 07:48 PM)  Check in the Tutorial Section here at the Trap17. there is one that uses a folder named with a jpg (or png ) extension that would likely work for you.
I think the problem is that .php is not an acceptable file extension fo uploading to this server. Ig you have the script named index.php inside a folder named with an acceptable file extension might work?
I think the Tutorial I am referring to can be found use "sig rotator" as a search value. Thanks for that, I already talked to alex7h3pr0gr4m3r about his dynamic Trap17 status image, and he said he used that folder.jpg method, with index.php script inside... It is so simple, and so obvious, that it completely eluded me, and I think I would have never thought of it... But, as you can see now, there is a dynamic image in my sig, and I'm actualy working on releasing a public version, with software to download and update ones status, and a sig for every user... But it's a big work ahead of me  Hopefully, I will find some beta testers here
Reply
jlhaslip
Sep 6 2007, 05:48 PM
QUOTE(Galahad @ Sep 6 2007, 05:36 AM) Well, I have created a certain signature, that I use in forums that allow members to have hosted images in their signatures via IMG tag, and don't check for extensions... Trap17 doesn't allow it, so I'm not using it here, but I certainly can see how one could easily make a malicios PHP script, and take over some site, or crash it... If you want to see my signature, go see http://status.galahad.trap17.com/stat.php ... It is a pure JPEG picture, no malicious code... If it's not allowed to have links here, mods, please remove this section, it's not my intent to promote my site, just to show how ot would work Check in the Tutorial Section here at the Trap17. there is one that uses a folder named with a jpg (or png ) extension that would likely work for you. I think the problem is that .php is not an acceptable file extension fo uploading to this server. Ig you have the script named index.php inside a folder named with an acceptable file extension might work? I think the Tutorial I am referring to can be found use "sig rotator" as a search value.
Reply
benzkids
Sep 6 2007, 01:35 PM
if i was a really smart guy (which i'm not lol) i would make a script that makes you, the administrator, ok the pis. (in other words, you have to say yes i will allow this certain picture on my website) so you know what people are putting up on your website. but unfortunately i am not a smart guy and i don't know how to write scripts. this is all saying that i got the right idea of what your talking about
Reply
Galahad
Sep 6 2007, 11:36 AM
Well, I have created a certain signature, that I use in forums that allow members to have hosted images in their signatures via IMG tag, and don't check for extensions... Trap17 doesn't allow it, so I'm not using it here, but I certainly can see how one could easily make a malicios PHP script, and take over some site, or crash it... If you want to see my signature, go see http://status.galahad.trap17.com/stat.php ... It is a pure JPEG picture, no malicious code... If it's not allowed to have links here, mods, please remove this section, it's not my intent to promote my site, just to show how ot would work
Reply
ImageFilez.com
Aug 27 2007, 10:13 PM
I am really interested in what image hosting script u were using ?? as i knew that the turnkey image hosting scripts had these problems
Reply
Recent Queries:--
image hosting - 1014.43 hr back. (1)
Similar Topics
Keywords : image hosting- Cpanel Exploit
- security hole in cPanel to hack the servers of a hosting company (8)
A pair days ago I read this new on Slashdot: cPanel Exploit Used to Circulate IE Exploit
QUOTE "In a dangerous combination of unpatched exploits, hackers have used a previously
undiscovered security hole in cPanel to hack the servers of a hosting company and use hundreds of
hijacked sites to infect Internet Explorer users with malware using the unpatched VML exploit.
cPanel, whose hosting automation software is used by many large hosting companies, has issued a fix.
It's a local exploit, meaning the attacker must control a cPanel account on the target hosti...
Fight Spam Email
- Link to this script on your Hosting Account (0)
Hosting Controller V.6.1 Vulnerability
- Hosting Controller v.6.1 Vulnerability (1)
Hosting Controller is a complete array of Web hosting automation tools for the Windows Server family
platform. This vulnerability is on the admin/hosting/addsubsite.asp Attacker can create user and
host on the target system. Exploit --------- A demonstration exploit URL is provided: h**p://
/admin/hosting/addsubsite.asp?loginname=Mouse&password=123456 h**p://
:8077/hosting/addsubsite.asp?loginname=Mouse&password=123456 --> Domain: Username:
Mailserver: Password: ...
Looking for image, hosting, hurt
|
*RANDOM STUFF*
*SIMILAR VIDEOS*
Searching Video's for image, hosting, hurt
*MORE FROM TRAP17.COM*
|
advertisement
|
|
