// we make an exception when url = /sfm and when in the url is a delete, compress or extract string, which contains at least: delete=uploads/sfm/'.$UserID
elseif ($_SERVER['QUERY_STRING'] != 'p=sfm'
and strpos($_SERVER['QUERY_STRING'], 'delete=uploads/sfm/'.$UserID) != true
and strpos($_SERVER['QUERY_STRING'], 'compress=uploads/sfm/'.$UserID) != true
and strpos($_SERVER['QUERY_STRING'], 'extract=uploads/sfm/'.$UserID) != true ) {
//echo 'no access';
$location = '/sfm';
header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location);
die();
}
/* END PROTECT URL */
now is as you said and it works!
Thanks a lot XD
Is there a way to have some kind of Downloads area with permission? Something where other can download files?
@Teo
This might be working now but you have to fix the vulnerability which has come up now.
So put this line below in your script ( at the very end of it, after the last <?php in sfm.php) and look what output it creates: echo $_SERVER['QUERY_STRING'];
Now you must copy the output into this line below: elseif ($_SERVER['QUERY_STRING'] != 'copy the output here'
and you have to modify line 8 ( line 8 previous post) $location = '/index.php?p=/sfm';
So it should now look like this:
// we make an exception when url = /sfm and when in the url is a delete, compress or extract string, which contains at least: delete=uploads/sfm/'.$UserID
elseif ($_SERVER['QUERY_STRING'] != 'copy the output here'
and strpos($_SERVER['QUERY_STRING'], 'delete=uploads/sfm/'.$UserID) != true
and strpos($_SERVER['QUERY_STRING'], 'compress=uploads/sfm/'.$UserID) != true
and strpos($_SERVER['QUERY_STRING'], 'extract=uploads/sfm/'.$UserID) != true ) {
//echo 'no access';
$location = '/index.php?p=/sfm';
header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location);
die();
}
/* END PROTECT URL */
Is there a way to have some kind of Downloads area with permission? Something where other can download files?
Hi jackmaessen, thnaks for the heads up m8, here what i replaced it seems working fine:
// we make an exception when url = /sfm and when in the url is a delete, compress or extract string, which contains at least: delete=uploads/sfm/'.$UserID
elseif ($_SERVER['QUERY_STRING'] != 'p=/sfm'
and strpos($_SERVER['QUERY_STRING'], 'delete=uploads/sfm/'.$UserID) != true
and strpos($_SERVER['QUERY_STRING'], 'compress=uploads/sfm/'.$UserID) != true
and strpos($_SERVER['QUERY_STRING'], 'extract=uploads/sfm/'.$UserID) != true ) {
//echo 'no access';
$location = '/index.php?p=/sfm';
header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location);
die();
}
/* END PROTECT URL */
Comments
it was:
// we make an exception when url = /sfm and when in the url is a delete, compress or extract string, which contains at least: delete=uploads/sfm/'.$UserID elseif ($_SERVER['QUERY_STRING'] != 'p=sfm' and strpos($_SERVER['QUERY_STRING'], 'delete=uploads/sfm/'.$UserID) != true and strpos($_SERVER['QUERY_STRING'], 'compress=uploads/sfm/'.$UserID) != true and strpos($_SERVER['QUERY_STRING'], 'extract=uploads/sfm/'.$UserID) != true ) { //echo 'no access'; $location = '/sfm'; header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location); die(); } /* END PROTECT URL */now is as you said and it works!
Thanks a lot XD
Is there a way to have some kind of Downloads area with permission? Something where other can download files?
@Teo
This might be working now but you have to fix the vulnerability which has come up now.
So put this line below in your script ( at the very end of it, after the last <?php in sfm.php) and look what output it creates:
echo $_SERVER['QUERY_STRING'];Now you must copy the output into this line below:
elseif ($_SERVER['QUERY_STRING'] != 'copy the output here'and you have to modify line 8 ( line 8 previous post)
$location = '/index.php?p=/sfm';So it should now look like this:
// we make an exception when url = /sfm and when in the url is a delete, compress or extract string, which contains at least: delete=uploads/sfm/'.$UserID elseif ($_SERVER['QUERY_STRING'] != 'copy the output here' and strpos($_SERVER['QUERY_STRING'], 'delete=uploads/sfm/'.$UserID) != true and strpos($_SERVER['QUERY_STRING'], 'compress=uploads/sfm/'.$UserID) != true and strpos($_SERVER['QUERY_STRING'], 'extract=uploads/sfm/'.$UserID) != true ) { //echo 'no access'; $location = '/index.php?p=/sfm'; header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location); die(); } /* END PROTECT URL */Unfortunately: No not in this script....
Hi jackmaessen, thnaks for the heads up m8, here what i replaced it seems working fine:
// we make an exception when url = /sfm and when in the url is a delete, compress or extract string, which contains at least: delete=uploads/sfm/'.$UserID elseif ($_SERVER['QUERY_STRING'] != 'p=/sfm' and strpos($_SERVER['QUERY_STRING'], 'delete=uploads/sfm/'.$UserID) != true and strpos($_SERVER['QUERY_STRING'], 'compress=uploads/sfm/'.$UserID) != true and strpos($_SERVER['QUERY_STRING'], 'extract=uploads/sfm/'.$UserID) != true ) { //echo 'no access'; $location = '/index.php?p=/sfm'; header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location); die(); } /* END PROTECT URL */