Front Office Football Central  

Go Back   Front Office Football Central > Main Forums > FOF9, FOF8, and TCY Discussion
Register FAQ Members List Calendar Mark Forums Read Statistics

Reply
 
Thread Tools
Old 09-19-2008, 07:47 PM   #1
MacroGuru
Coordinator
 
Join Date: May 2003
Location: Utah
File Uploader

Alright, I need a new file uploader...some hacker dipshit exploited the one i was using.

PHP is what I am using.
__________________
"forgetting what is in the past, I strive for the future"

MacroGuru is offline   Reply With Quote
Old 09-19-2008, 08:57 PM   #2
MacroGuru
Coordinator
 
Join Date: May 2003
Location: Utah
Anyone know of one?

Honestly, I ran a search here and it's like I am trying to find the secret of the ark...

Anyways, any help would be appreciated...we were using the Maian Uploader, it was hacked, my server was thrashed...

Need something new that Isn't going to be hunted
__________________
"forgetting what is in the past, I strive for the future"
MacroGuru is offline   Reply With Quote
Old 09-20-2008, 02:41 PM   #3
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
Here's one I made for a couple of legues:

FOF Stage Uploader

It's a single file, upload.php, you'll need to edit the variables at the top but if you're familiar with PHP you should be able to figure it out. There are some comments about how to secure your upload directory to prevent anyone from being able to execute the uploaded files. It doesn't have any password protection (i.e. to prevent someone from uploading a file for another team) but again if you are PHP savvy you probably could easily add that.
jdavidbakr is offline   Reply With Quote
Old 09-20-2008, 08:42 PM   #4
MacroGuru
Coordinator
 
Join Date: May 2003
Location: Utah
Quote:
Originally Posted by jdavidbakr View Post
Here's one I made for a couple of legues:

FOF Stage Uploader

It's a single file, upload.php, you'll need to edit the variables at the top but if you're familiar with PHP you should be able to figure it out. There are some comments about how to secure your upload directory to prevent anyone from being able to execute the uploaded files. It doesn't have any password protection (i.e. to prevent someone from uploading a file for another team) but again if you are PHP savvy you probably could easily add that.

Thanks
__________________
"forgetting what is in the past, I strive for the future"
MacroGuru is offline   Reply With Quote
Old 09-24-2008, 10:35 AM   #5
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
I just made some changes to the stage uploader so you can set passwords for each team. It also rejects any file that is not the correct stage file name for that team. There are directions in the file as to how to set it up.

FOF Stage File Uploader

Last edited by jdavidbakr : 09-24-2008 at 04:58 PM.
jdavidbakr is offline   Reply With Quote
Old 09-24-2008, 02:10 PM   #6
headtrauma
H.S. Freshman Team
 
Join Date: Feb 2006
Location: D/FW
macroguru, let me know how this works out for you. If you like it, I'll start using it in the Shiba league.
headtrauma is offline   Reply With Quote
Old 09-24-2008, 02:19 PM   #7
MacroGuru
Coordinator
 
Join Date: May 2003
Location: Utah
Quote:
Originally Posted by headtrauma View Post
macroguru, let me know how this works out for you. If you like it, I'll start using it in the Shiba league.

Will do, I am going to install it here in a minute.
__________________
"forgetting what is in the past, I strive for the future"
MacroGuru is offline   Reply With Quote
Old 09-24-2008, 03:06 PM   #8
MacroGuru
Coordinator
 
Join Date: May 2003
Location: Utah
Quote:
Originally Posted by headtrauma View Post
macroguru, let me know how this works out for you. If you like it, I'll start using it in the Shiba league.

Definitely cool and easy to set up...we will be using this officially tonight after my sim.
__________________
"forgetting what is in the past, I strive for the future"
MacroGuru is offline   Reply With Quote
Old 10-03-2008, 05:43 PM   #9
sovereignstar
Pro Starter
 
Join Date: Feb 2004
What would I have to do to get rid of the passwords? Or do you still have the older version available? Don't really feel like entering manual passwords for guys.
sovereignstar is offline   Reply With Quote
Old 10-04-2008, 09:37 AM   #10
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
Quote:
Originally Posted by sovereignstar View Post
What would I have to do to get rid of the passwords? Or do you still have the older version available? Don't really feel like entering manual passwords for guys.

Well, it uses what password the user is logged in with to determine what file is supposed to be uploaded. You could just give them the default passwords. To remove the passwords altogether you'll need to remove the block of code where it checks for a valid login, and then change the following line:

PHP Code:
if ($_FILES['file']['name'] == $expected_name) { 

to

PHP Code:
if (1) { 

The system would then accept any uploaded file so you'll want to make sure that the upload directory is not anywhere on your server that can be executed, as someone could upload a script and have fun on your server. That's the real reason I added the passwords, so that it only allows each team to upload the correctly named file and give feedback if they upload the wrong file.
jdavidbakr is offline   Reply With Quote
Old 10-04-2008, 10:31 AM   #11
sovereignstar
Pro Starter
 
Join Date: Feb 2004
Gotcha. I'm just not a big fan of setting passwords for guys. If I was only smart enough to grab them from our vBulletin database. I do like the functionality limiting guys to uploading certain files, so I probably don't want to remove the passwords from your utility either. Thanks anyways!
sovereignstar is offline   Reply With Quote
Old 10-04-2008, 10:35 AM   #12
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
Quote:
Originally Posted by sovereignstar View Post
Gotcha. I'm just not a big fan of setting passwords for guys. If I was only smart enough to grab them from our vBulletin database. I do like the functionality limiting guys to uploading certain files, so I probably don't want to remove the passwords from your utility either. Thanks anyways!

The password could just be the team name, all it really is is an identifier as to who is uploading the file. One reason I did it with the browser password is that most browsers will allow you to save the password and then you'll log in automatically in the future.
jdavidbakr is offline   Reply With Quote
Old 10-04-2008, 10:37 AM   #13
sovereignstar
Pro Starter
 
Join Date: Feb 2004
That's a good point. Our current uploader doesn't save passwords, so I didn't really think of that.
sovereignstar is offline   Reply With Quote
Old 10-04-2008, 11:36 AM   #14
sovereignstar
Pro Starter
 
Join Date: Feb 2004
Heh. I guess I didn't totally understand the importance of the password in your uploader until I actually ran it. I decided to use the team names like you suggested. I think this will work just fine. Thanks again.
sovereignstar is offline   Reply With Quote
Old 10-04-2008, 11:58 AM   #15
sovereignstar
Pro Starter
 
Join Date: Feb 2004
Doh! I see a problem. Guys have to be on the same page in regards to how they enter their league ID as the uploader is case sensitive. The "official" league ID I had told guys to sign up with was 'Imperial'. It doesn't look like many guys actually did that.
sovereignstar is offline   Reply With Quote
Old 10-04-2008, 02:21 PM   #16
gstelmack
Pro Starter
 
Join Date: Oct 2000
Location: Cary, NC
Quote:
Originally Posted by sovereignstar View Post
Gotcha. I'm just not a big fan of setting passwords for guys. If I was only smart enough to grab them from our vBulletin database.

Code:
$sql = "SELECT username, password, userid, salt from vb_user where username = '$uid'"; $result = mysql_query($sql,$db)or die("Bad query: ".mysql_error()); if ($myrow = mysql_fetch_array($result)) { if (md5(md5($pwd) . $myrow[3]) == $myrow[1]) {

Credit to cuervo who I got this snippet from (and once I knew about it, I think I found the similar bit of code inside vBulletin itself). I have an ASP Role Provider that can check against the vBulletin userid / password if anybody ever needs that.
__________________
-- Greg
-- Author of various FOF utilities
gstelmack is offline   Reply With Quote
Old 12-24-2008, 07:38 AM   #17
Ben E Lou
Morgado's Favorite Forum Fascist
 
Join Date: Oct 2000
Location: Greensboro, NC
Quote:
Originally Posted by jdavidbakr View Post
Here's one I made for a couple of legues:

FOF Stage Uploader

It's a single file, upload.php, you'll need to edit the variables at the top but if you're familiar with PHP you should be able to figure it out. There are some comments about how to secure your upload directory to prevent anyone from being able to execute the uploaded files. It doesn't have any password protection (i.e. to prevent someone from uploading a file for another team) but again if you are PHP savvy you probably could easily add that.

All of a sudden overnight this stopped working. We're getting invalid password messages in two leagues on the same server. It almost has to be some sort of server-related thing, right? Any ideas as to what could cause this?
__________________
The media don't understand the kinds of problems and pressures 54 million come wit'!
Ben E Lou is offline   Reply With Quote
Old 12-24-2008, 08:19 AM   #18
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
Quote:
Originally Posted by Ben E Lou View Post
All of a sudden overnight this stopped working. We're getting invalid password messages in two leagues on the same server. It almost has to be some sort of server-related thing, right? Any ideas as to what could cause this?

Hm, must be a server-related change - although I'm not sure what they would have changed unless they downgraded PHP, there might be a security setting in PHP that would break that but I have no idea why they would turn that on if there is.

Try making a page "passwordtest.php" with the following content:

PHP Code:
<?
$username 
$_SERVER['PHP_AUTH_USER'];
$password $_SERVER['PHP_AUTH_PW'];
if (
$password == '') {
  
header('WWW-Authenticate: Basic realm="Password Test"');
  
header("HTTP/1.0 401 Unauthorized");
  echo 
'no password was passed to the script';
  exit;
} else {
  echo 
"Username: $username - Password: $password";
  exit;
}
?>

then open it up in a browser. It should request a password and if you enter one, it should print the password to the screen. If it does, then I'm not sure why the upload script would not be working; but if it doesn't, you will probably need to contact your hosting provider's tech support and show them that script, and ask them why it's no longer working.
jdavidbakr is offline   Reply With Quote
Old 12-24-2008, 08:39 AM   #19
Ben E Lou
Morgado's Favorite Forum Fascist
 
Join Date: Oct 2000
Location: Greensboro, NC
Did that, and it's doing the same thing I'm getting at WOOF/FOWL: just asking for username/password over and over again.

http://www.younglifenorthdekalb.com/...sswordtest.php

Will you verify that it's doing that for you?
__________________
The media don't understand the kinds of problems and pressures 54 million come wit'!

Last edited by Ben E Lou : 12-24-2008 at 08:40 AM.
Ben E Lou is offline   Reply With Quote
Old 12-24-2008, 09:37 AM   #20
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
Quote:
Originally Posted by Ben E Lou View Post
Did that, and it's doing the same thing I'm getting at WOOF/FOWL: just asking for username/password over and over again.

http://www.younglifenorthdekalb.com/...sswordtest.php

Will you verify that it's doing that for you?

Yep, looks like the PHP script isn't receiving the password. This function was added in I think PHP 4.0.1 and it is very odd to me that it would have worked before and is no longer working. You probably should point tech support to that script and ask them why it's not working, obviously they made a change to the server configuration.
jdavidbakr is offline   Reply With Quote
Old 12-24-2008, 01:05 PM   #21
Celeval
Pro Starter
 
Join Date: Nov 2000
Location: Cary, NC, USA
A couple thoughts - I don't have a lot of experience debugging this sort, but things that percolate something for someone:

Quote:
As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].

Could be this? Although I don't know why/how external auth would be set up.

Alternatively:

Quote:
The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version.

Quote:
Another limitation is if you're using the IIS module (ISAPI) and PHP 4, you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
Any chance the servers have been moved to IIS from Apache?
Celeval is offline   Reply With Quote
Old 11-16-2009, 01:51 PM   #22
Flasch186
Coordinator
 
Join Date: May 2002
Location: Jacksonville, FL
JDB can I hit you up via PM about the possibility of helping get your uploader reinstalled on Ben's sever for the USFL since when the host did their thing they crashed it with this error

Quote:
Warning: Cannot modify header information - headers already sent by (output started at /services4/webpages/util/y/l/yldekalb.site.aplus.net/public/usfl/ben/upload.php:21) in /services4/webpages/util/y/l/yldekalb.site.aplus.net/public/usfl/ben/upload.php on line 120

Warning: Cannot modify header information - headers already sent by (output started at /services4/webpages/util/y/l/yldekalb.site.aplus.net/public/usfl/ben/upload.php:21) in /services4/webpages/util/y/l/yldekalb.site.aplus.net/public/usfl/ben/upload.php on line 121
Bad password.
__________________
Jacksonville-florida-homes-for-sale

Putting a New Spin on Real Estate!



-----------------------------------------------------------

Commissioner of the USFL
USFL
Flasch186 is offline   Reply With Quote
Old 11-16-2009, 01:55 PM   #23
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
Quote:
Originally Posted by Flasch186 View Post
JDB can I hit you up via PM about the possibility of helping get your uploader reinstalled on Ben's sever for the USFL since when the host did their thing they crashed it with this error

Check what version of PHP is running. I _think_ it has to be PHP >= 5.

What that looks like is that the password is not being sent properly to PHP.
jdavidbakr is offline   Reply With Quote
Old 11-16-2009, 02:02 PM   #24
Ben E Lou
Morgado's Favorite Forum Fascist
 
Join Date: Oct 2000
Location: Greensboro, NC
Just doubled checked. It's PHP 5.
__________________
The media don't understand the kinds of problems and pressures 54 million come wit'!
Ben E Lou is offline   Reply With Quote
Old 11-16-2009, 02:07 PM   #25
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
You'll probably have to look at the uploader.php script then - see what line it's referring to. Basically the "headers have already been sent" message means that there has been some sort of output before a header message. Depending on how you've adjusted the file for your league, it looks like that line is going to be around the place where it's sending the authentication header - check to make sure you don't have any stray output (like text or a blank line before the initial '<?') - check line 21, that seems to be where it's referring to.

Last edited by jdavidbakr : 11-16-2009 at 02:09 PM.
jdavidbakr is offline   Reply With Quote
Old 11-16-2009, 02:12 PM   #26
Flasch186
Coordinator
 
Join Date: May 2002
Location: Jacksonville, FL
hmmm, Ill have to take a look from home when I can really focus as I definitely can do a lot of damage. How much do you charge for peeking in via FTP and fixing it if it's easy for ya {seriously}
__________________
Jacksonville-florida-homes-for-sale

Putting a New Spin on Real Estate!



-----------------------------------------------------------

Commissioner of the USFL
USFL
Flasch186 is offline   Reply With Quote
Old 11-16-2009, 02:19 PM   #27
Ben E Lou
Morgado's Favorite Forum Fascist
 
Join Date: Oct 2000
Location: Greensboro, NC
Quote:
Originally Posted by jdavidbakr View Post
You'll probably have to look at the uploader.php script then - see what line it's referring to. Basically the "headers have already been sent" message means that there has been some sort of output before a header message. Depending on how you've adjusted the file for your league, it looks like that line is going to be around the place where it's sending the authentication header - check to make sure you don't have any stray output (like text or a blank line before the initial '

Weird. Keep in mind that I didn't change a thing in the script when the new servers went in place. Line 21 is just a quick echo statement with a new background color. I removed it, and that error is gone. But the "bad password" issue still remains. I'm sending it a password that I know should work from looking in the script.
__________________
The media don't understand the kinds of problems and pressures 54 million come wit'!
Ben E Lou is offline   Reply With Quote
Old 11-16-2009, 02:42 PM   #28
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
Quote:
Originally Posted by Ben E Lou View Post
Weird. Keep in mind that I didn't change a thing in the script when the new servers went in place. Line 21 is just a quick echo statement with a new background color. I removed it, and that error is gone. But the "bad password" issue still remains. I'm sending it a password that I know should work from looking in the script.

Yeah, an echo before the header statement will break it. Maybe it was configured differently before where it would buffer the output to the end of the script (that is an option in PHP which would avoid the error)

For the password, to make sure you are getting the correct data being passed, try echoing the variables in after "Bad Password", something like:

PHP Code:
echo "<h1>Bad password.</h1>";
echo 
"<P>User: ".$_SERVER['PHP_AUTH_USER']."</P>";
echo 
"<P>Password: ".$_SERVER['PHP_AUTH_PW']."</P>";
echo 
"<P>Team Number: ".$passwords[$_SERVER['PHP_AUTH_PW']]."</P>";
  exit; 

That should give you some idea of where it's breaking (hopefully)
jdavidbakr is offline   Reply With Quote
Old 11-16-2009, 02:49 PM   #29
Ben E Lou
Morgado's Favorite Forum Fascist
 
Join Date: Oct 2000
Location: Greensboro, NC
Will do...and in the meantime if you'll bump the correct thread, I'll move this line of posts into it. Nice goin', Flasch.
__________________
The media don't understand the kinds of problems and pressures 54 million come wit'!
Ben E Lou is offline   Reply With Quote
Old 11-16-2009, 02:52 PM   #30
Ben E Lou
Morgado's Favorite Forum Fascist
 
Join Date: Oct 2000
Location: Greensboro, NC
Heh. Methinks it's passing it...nothing. The user/pass dialog just keeps coming up every time I enter anything. Finally when I hit cancel, of course I get nulls for everything...

User:

Password:

Team Number:
__________________
The media don't understand the kinds of problems and pressures 54 million come wit'!
Ben E Lou is offline   Reply With Quote
Old 11-16-2009, 02:54 PM   #31
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
bump
jdavidbakr is offline   Reply With Quote
Old 11-16-2009, 02:58 PM   #32
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
Quote:
Originally Posted by Ben E Lou View Post
Heh. Methinks it's passing it...nothing. The user/pass dialog just keeps coming up every time I enter anything. Finally when I hit cancel, of course I get nulls for everything...

User:

Password:

Team Number:

That would be a problem ...

Maybe before PHP was not running in safe mode and now it is? You didn't move from Apache to IIS on the server switch, did you? Gotta be something in the PHP config that changed. Might need to contact the server admin and see what he says. Show him that block of code and he should immediately know why it's not working.
jdavidbakr is offline   Reply With Quote
Old 11-16-2009, 03:32 PM   #33
Ben E Lou
Morgado's Favorite Forum Fascist
 
Join Date: Oct 2000
Location: Greensboro, NC
I'll check with the admins. I don't know exactly what they did in the upgrade. I do know that everything is quite a bit faster. I filed a support ticket for this quite some time ago, but it was right in the middle of an upgrade where they'd lost hundreds of auto-increment values in my 10 databases alone, so they probably had bigger fish to fry at the time.
__________________
The media don't understand the kinds of problems and pressures 54 million come wit'!
Ben E Lou is offline   Reply With Quote
Old 11-20-2009, 01:08 PM   #34
Flasch186
Coordinator
 
Join Date: May 2002
Location: Jacksonville, FL
Ben

Hear anything back about the PHP stuff from the admins?
__________________
Jacksonville-florida-homes-for-sale

Putting a New Spin on Real Estate!



-----------------------------------------------------------

Commissioner of the USFL
USFL
Flasch186 is offline   Reply With Quote
Old 11-20-2009, 01:12 PM   #35
Ben E Lou
Morgado's Favorite Forum Fascist
 
Join Date: Oct 2000
Location: Greensboro, NC
As soon as I hear something worth reporting, you'll be the first to know.
__________________
The media don't understand the kinds of problems and pressures 54 million come wit'!
Ben E Lou is offline   Reply With Quote
Old 12-10-2009, 10:01 AM   #36
Flasch186
Coordinator
 
Join Date: May 2002
Location: Jacksonville, FL
Ben

I hate feeling like or sounding like a nag but I feel like Im the only league int he FOF universe without a working uploader. Is there anything that can be said or done to make it higher on the totem pole at the host in regards to their issues?

It doesnt seem to be taking the username or password and simply reasks for it. When clicking cancel this is what is seen

Quote:
Bad password.

User:

Password:

Team Number:

Can I ask that JDB look in via FTP and would he be willing to troubleshoot it? I want to believe its something simple in the PHP but I dont know what it might be.

frustrated as you can tell since I missed a GM's file today.

thanks for helping when you have time.
__________________
Jacksonville-florida-homes-for-sale

Putting a New Spin on Real Estate!



-----------------------------------------------------------

Commissioner of the USFL
USFL
Flasch186 is offline   Reply With Quote
Old 12-10-2009, 10:14 AM   #37
jdavidbakr
High School Varsity
 
Join Date: Feb 2008
Location: Oklahoma
Quote:
Originally Posted by Flasch186 View Post
Can I ask that JDB look in via FTP and would he be willing to troubleshoot it? I want to believe its something simple in the PHP but I dont know what it might be.

Nothing's gonna be able to be seen via FTP because the problem is in the server configuration. They probably have a setting in PHP that no longer allows the username and password to be passed to PHP. If they intentionally did this for a security reason and are unwilling to change it, then I'm sorry but you'll need to use a different uploader as I'm not really interested in changing the auth method. If it's a setting that got unintentionally set then they just need to be notified and change it.

If you know or want to experiment with PHP code, you probably could change it to accept the password in the upload form and bypass the HTTP authentication, it actually would be a fairly trivial modification. That will be an exercise for the reader
jdavidbakr is offline   Reply With Quote
Old 12-10-2009, 10:39 AM   #38
Flasch186
Coordinator
 
Join Date: May 2002
Location: Jacksonville, FL
is there another uploader out there, as simple that could be installed on the site that would avoid the problem if theyre unwilling to fix it?
__________________
Jacksonville-florida-homes-for-sale

Putting a New Spin on Real Estate!



-----------------------------------------------------------

Commissioner of the USFL
USFL
Flasch186 is offline   Reply With Quote
Old 12-10-2009, 12:01 PM   #39
beargrowlz
High School Varsity
 
Join Date: Jan 2007
Location: Georgia
Quote:
Originally Posted by Flasch186 View Post
is there another uploader out there, as simple that could be installed on the site that would avoid the problem if theyre unwilling to fix it?

There's the old uploader we used to use in the vNFL community until Jon developed his. I probably still have a copy around.

Send me an email if you think it would help and I'll pass it along.



Cheers,
-Bear
__________________
-Beargrowlz

[email protected]
TCY Golden Scribe Winner - Bear Goes Home

"The measure of a man's real character is what he would do if he knew he would never be found out."
--Thomas B. Macaulay

Last edited by beargrowlz : 12-10-2009 at 12:03 PM.
beargrowlz is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump


All times are GMT -5. The time now is 05:13 AM.



Powered by vBulletin Version 3.6.0
Copyright ©2000 - 2026, Jelsoft Enterprises Ltd.