0

Im working on an upload script, and i want a user to be able to upload any file. I had it al working on localhost, i added 

    php_flag engine off 
    AddType text/plain php html shtml php5 php4 php3 cgi asp aspx xml

to my htaccess in the upload folder, and it showed the source of PHP, html and all other files. Exactly as i wanted to. Now i tried to upload it to a real webserver, and unfortunately my host does not allow such .htaccess files.

I tried openinging the files with file_get_content() and fopen() and giving them a text/plain header.. but nothing works. It first executes the scripts and shows the output in my textarea.

Do you guys have any suggestions on how i can fix this without .htaccess ?

Thanks!

hakre
  • 193,403
  • 52
  • 435
  • 836
user1362916
  • 119
  • 2
  • 14
  • possible duplicate of [How can I display php source code](http://stackoverflow.com/questions/2561990/how-can-i-display-php-source-code) – JMax Jul 19 '12 at 06:38

1 Answers1

1

Don't upload files into the webroot and let people access them directly. As you say, .php scripts (and probably a lot more) get executed that way. A classic way for arbitrary code execution attacks.

Store uploaded files outside the webroot where they're not publicly accessible and create a script that allows users to download the files, for example using readfile or Apache mod_xsendfile, after having done the necessary permission checks.

Also see Security threats with uploads.

Community
  • 1
  • 1
deceze
  • 510,633
  • 85
  • 743
  • 889
  • Ive stored them in a different folder, and i also have a download script that forces a download. But heres the thing, if a user uploads an mp3 file or movie, a flashplayer is loaded when accessing the file. Id like to show the raw contents of the PHP file in a – user1362916 Jul 18 '12 at 11:10
  • That sounds like a completely different question...?! – deceze Jul 18 '12 at 11:13
  • Nope, its the same i guess, i can give you an example if you want, to make it a bit more clear – user1362916 Jul 18 '12 at 11:15
  • Heres an example of an uploaded .JS file : http://www.dumpzor.com/n2mmji9cr9.dl I want it to do the exact same when uploading .PHP files, just show the raw source of it in the textarea. – user1362916 Jul 18 '12 at 11:22
  • So, have a page with a ` – deceze Jul 18 '12 at 11:58
  • Yes, kinda like that! I tried it using the highlight_file() function, but again, it executes the script instead of showing the highlighted version – user1362916 Jul 18 '12 at 11:59
  • It *executes* the file when running it through `highlight_file(file_get_contents())`?! I can guarantee you that it *doesn't*. – deceze Jul 18 '12 at 12:09
  • Youre right about that. Got the highlighted stuff working perfectly on local, but on the real server it does not output anything at all, could this be a .htaccess restriction again? Yep.. this sucks : Warning: highlight_file() [function.highlight-file]: URL file-access is disabled in the server configuration in – user1362916 Jul 18 '12 at 12:15
  • I got it fixed. I had the full URL to the file in my database, and my hosts didnt allow this. So i added the path to the file (without the domain), added that to the highlight_file() function and its working like a charm! – user1362916 Jul 18 '12 at 12:41