HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

SFM Plugin: Enhancements and feedback

2»

Comments

  • TeoTeo New
    edited July 2016

    it was:

        // we make an exception when url = /sfm and when in the url is a delete, compress or extract string,  which contains at least: delete=uploads/sfm/'.$UserID
         elseif ($_SERVER['QUERY_STRING'] != 'p=sfm'
             and strpos($_SERVER['QUERY_STRING'], 'delete=uploads/sfm/'.$UserID) != true 
             and strpos($_SERVER['QUERY_STRING'], 'compress=uploads/sfm/'.$UserID) != true
             and strpos($_SERVER['QUERY_STRING'], 'extract=uploads/sfm/'.$UserID) != true ) {
    
             //echo 'no access';
             $location = '/sfm';
             header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location);
             die();
    
         } 
    
    /* END PROTECT URL */
    

    now is as you said and it works!
    Thanks a lot XD

    Is there a way to have some kind of Downloads area with permission? Something where other can download files?

  • jackmaessenjackmaessen ✭✭✭
    edited July 2016

    @Teo
    This might be working now but you have to fix the vulnerability which has come up now.
    So put this line below in your script ( at the very end of it, after the last <?php in sfm.php) and look what output it creates:
    echo $_SERVER['QUERY_STRING'];
    Now you must copy the output into this line below:
    elseif ($_SERVER['QUERY_STRING'] != 'copy the output here'
    and you have to modify line 8 ( line 8 previous post)
    $location = '/index.php?p=/sfm';

    So it should now look like this:

    // we make an exception when url = /sfm and when in the url is a delete, compress or extract string,  which contains at least: delete=uploads/sfm/'.$UserID
         elseif ($_SERVER['QUERY_STRING'] != 'copy the output here'
             and strpos($_SERVER['QUERY_STRING'], 'delete=uploads/sfm/'.$UserID) != true 
             and strpos($_SERVER['QUERY_STRING'], 'compress=uploads/sfm/'.$UserID) != true
             and strpos($_SERVER['QUERY_STRING'], 'extract=uploads/sfm/'.$UserID) != true ) {
             //echo 'no access';
             $location = '/index.php?p=/sfm';
             header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location);
             die();
         } 
    /* END PROTECT URL */
    

    Is there a way to have some kind of Downloads area with permission? Something where other can download files?

    Unfortunately: No not in this script....

  • Hi jackmaessen, thnaks for the heads up m8, here what i replaced it seems working fine:

        // we make an exception when url = /sfm and when in the url is a delete, compress or extract string,  which contains at least: delete=uploads/sfm/'.$UserID
             elseif ($_SERVER['QUERY_STRING'] != 'p=/sfm'
                 and strpos($_SERVER['QUERY_STRING'], 'delete=uploads/sfm/'.$UserID) != true 
                 and strpos($_SERVER['QUERY_STRING'], 'compress=uploads/sfm/'.$UserID) != true
                 and strpos($_SERVER['QUERY_STRING'], 'extract=uploads/sfm/'.$UserID) != true ) {
                 //echo 'no access';
                 $location = '/index.php?p=/sfm';
                 header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location);
                 die();
             } 
        /* END PROTECT URL */
    
Sign In or Register to comment.