General Community > WebsiteBaker Website Showcase
Canadian Erotic Website
Xagone:
no ssl
just apache
"Deny from all"
check, i'll give you a link to a direct image :
http://www.mea-culpa.com/SECURED/33_jinny/56/images/10-mea-culpa.jpg
how ppl will see the image :
http://www.mea-culpa.com/imageread.php?fichier=%2FSECURED%2F33_jinny%2F56%2Fimages%2F10-mea-culpa.jpg
can you see it ? can you hack it ? :P
here the "imageread.php" code :
--- Code: ---<?php
require("config.php");
if(isset($_SESSION['USER_ID']) && SESSION_STARTED) {
$allowedtypes = array('image/gif', 'image/png', 'image/jpeg');
$fichier = str_replace('../','',WB_PATH.'/'.urldecode($_GET['fichier']));
if(file_exists($fichier)) {
$mimetype = mime_content_type($fichier);
if(in_array($mimetype, $allowedtypes)) {
header("Content-Type: " . $mimetype);
header("Content-Length: " . filesize($fichier));
header("Cache-Control: private");
echo file_get_contents($fichier);
}
} else {
echo 'oups';
}
} else {
header('HTTP/1.0 403 forbidden', TRUE, 403);
die('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don\'t have permission to access '.urldecode($_GET['fichier']).'
on this server.</p>
</body></html> ');
}
?>
--- End code ---
just for fun, i stand by my code :P
crnogorac081:
Hi,
The "oups" line is for registered groups right ?
And another dummy question: where to put this code :)
cheers
Xagone:
the code is for reading images in the member section.
you put it in a php file in the root of your site (the same place as your config.php)
and use it as such in your code :
<img src="/imageread.php?fichier=URLENCODED-ROOT-BASED-FILE-LINK(LIKE /SECURED/LALA/IPS.JPG)" />
it only verify if you are logged, not with what your logged at
the "oups" is for a file not found, or backtracking folder attempt (hacking calling a file outside your website folders)
here my "zipread.php" file, use like the imageread.php (with fichier=/secured...) but download the file you link it to.
so if you want only your users to download "thisdocument.doc" you link to zipread.php?fichier=/secured/thisdocument.doc
here the code (i've added some comments) :
--- Code: ---<?php
require("config.php");
if(isset($_SESSION['USER_ID']) && SESSION_STARTED) {
# code the url
$DEC = urldecode($_GET['fichier']);
# set unalloewed file, so nobody want to read /config.php or something
$unallowed_to_read = array('php','html','htm','htaccess');
# remove any attempt to back up your folders
$fichier = str_replace('../','',WB_PATH.'/'.urldecode($_GET['fichier']));
#end(explode('.',$fichier)) = the remaining of an explosion of the filename of '.' (the extension)
if(file_exists($fichier) && (!in_array(end(explode('.',$fichier)),$unallowed_to_read))) {
header("Content-Type: " . mime_content_type($fichier));
header("Content-Length: " . filesize($fichier));
header("Content-Transfer-Encoding: binary");
header("Cache-Control: private");
header('Content-Disposition: attachment; filename="'.end(explode('/',$DEC)).'"');
echo file_get_contents($fichier);
} else {
# in case of absent file or attempt at hacking
echo 'oups';
}
} else {
# not logged ? forbidden!
header('HTTP/1.0 403 forbidden', TRUE, 403);
die('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don\'t have permission to access '.urldecode($_GET['fichier']).'
on this server.</p>
</body></html> ');
}
?>
--- End code ---
Argos:
Very nice.. eh... website! :wink:
crnogorac081:
Hi,
Could you please repost this SECURED solution to another - new post, so it would be easier for search.
I also suggest to post this to WB help pages..
cheers
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version