Server Help

[Bak]

so you're using your own webserver rather than something like apache?
_________________
SubSpace Discretion: A Third Generation SubSpace Client

[Assassin2684]

Umm.. I guess? I use Blue Host for all my hosting needs..

[Cyan~Fire]

[Bak]

It wasn't the webserver. The handler only checks the mime type of what they're uploading (and not the extension), which can be faked easily.

Code: Show/Hide $_FILES['userfile']['type']     The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.

Code: Show/Hide $allowed_types = array( //Allowed types         "image/gif" => "gif",         "image/pjpeg" => "jpg",         "image/png" => "png",         "image/bmp" => "bmp",         "image/jpeg" => "jpg",     );             if(!array_key_exists($_FILES['userfile']['type'], $allowed_types)) { // Check the extension if its allowed         die(" Invalid file type!</font></center>");     }

EDIT: you son of a bitch cyan

[Cerium]

So basically, the guy uploaded a .php file with some forged http headers to make the uploading script think it was a jpeg?

What were you using to allow uploads (For the love of god, don't say phpbb)?
_________________
There are 7 user(s) ignoring me right now.

[Assassin2684]

No, I dont use phpbb, all I was using was the upload script. Again, I dont know how the person or why the person even did it. Pretty stupid to hack a site thats not even being used lol.

[Cyan~Fire]

Pretty stupid to add a random insecure file uploader to your site. Reminds me of something from hackthissite.org.

[Assassin2684]

Haha.. ya, I suppose. But it wasn't realy a random one, its one a friend made. But it was my fault I didn't look at the code. Oh well..