Alright, I need a new file uploader...some hacker dipshit exploited the one i was using.

PHP is what I am using.

Anyone know of one?

Honestly, I ran a search here and it's like I am trying to find the secret of the ark...

Anyways, any help would be appreciated...we were using the Maian Uploader, it was hacked, my server was thrashed...

Need something new that Isn't going to be hunted

Here's one I made for a couple of legues:

FOF Stage Uploader (http://www.catalystproductions.cc/pub/upload.zip)

It's a single file, upload.php, you'll need to edit the variables at the top but if you're familiar with PHP you should be able to figure it out. There are some comments about how to secure your upload directory to prevent anyone from being able to execute the uploaded files. It doesn't have any password protection (i.e. to prevent someone from uploading a file for another team) but again if you are PHP savvy you probably could easily add that.

Here's one I made for a couple of legues:

FOF Stage Uploader (http://www.catalystproductions.cc/pub/upload.zip)

It's a single file, upload.php, you'll need to edit the variables at the top but if you're familiar with PHP you should be able to figure it out. There are some comments about how to secure your upload directory to prevent anyone from being able to execute the uploaded files. It doesn't have any password protection (i.e. to prevent someone from uploading a file for another team) but again if you are PHP savvy you probably could easily add that.

Thanks

I just made some changes to the stage uploader so you can set passwords for each team. It also rejects any file that is not the correct stage file name for that team. There are directions in the file as to how to set it up.

FOF Stage File Uploader (http://www.catalystproductions.cc/pub/upload.zip)

macroguru, let me know how this works out for you. If you like it, I'll start using it in the Shiba league.

macroguru, let me know how this works out for you. If you like it, I'll start using it in the Shiba league.

Will do, I am going to install it here in a minute.

macroguru, let me know how this works out for you. If you like it, I'll start using it in the Shiba league.

Definitely cool and easy to set up...we will be using this officially tonight after my sim.

What would I have to do to get rid of the passwords? Or do you still have the older version available? Don't really feel like entering manual passwords for guys.

What would I have to do to get rid of the passwords? Or do you still have the older version available? Don't really feel like entering manual passwords for guys.

Well, it uses what password the user is logged in with to determine what file is supposed to be uploaded. You could just give them the default passwords. To remove the passwords altogether you'll need to remove the block of code where it checks for a valid login, and then change the following line:

if ($_FILES['file']['name'] == $expected_name) {

to

if (1) {

The system would then accept any uploaded file so you'll want to make sure that the upload directory is not anywhere on your server that can be executed, as someone could upload a script and have fun on your server. That's the real reason I added the passwords, so that it only allows each team to upload the correctly named file and give feedback if they upload the wrong file.

Gotcha. I'm just not a big fan of setting passwords for guys. If I was only smart enough to grab them from our vBulletin database. :( I do like the functionality limiting guys to uploading certain files, so I probably don't want to remove the passwords from your utility either. Thanks anyways!

Gotcha. I'm just not a big fan of setting passwords for guys. If I was only smart enough to grab them from our vBulletin database. :( I do like the functionality limiting guys to uploading certain files, so I probably don't want to remove the passwords from your utility either. Thanks anyways!

The password could just be the team name, all it really is is an identifier as to who is uploading the file. One reason I did it with the browser password is that most browsers will allow you to save the password and then you'll log in automatically in the future.

That's a good point. Our current uploader doesn't save passwords, so I didn't really think of that.

Heh. I guess I didn't totally understand the importance of the password in your uploader until I actually ran it. I decided to use the team names like you suggested. I think this will work just fine. Thanks again.

Doh! I see a problem. Guys have to be on the same page in regards to how they enter their league ID as the uploader is case sensitive. The "official" league ID I had told guys to sign up with was 'Imperial'. It doesn't look like many guys actually did that.

Gotcha. I'm just not a big fan of setting passwords for guys. If I was only smart enough to grab them from our vBulletin database. :(


$sql = "SELECT username, password, userid, salt from vb_user where username = '$uid'";
$result = mysql_query($sql,$db)or die("Bad query: ".mysql_error());

if ($myrow = mysql_fetch_array($result)) {
if (md5(md5($pwd) . $myrow[3]) == $myrow[1])
{


Credit to cuervo who I got this snippet from (and once I knew about it, I think I found the similar bit of code inside vBulletin itself). I have an ASP Role Provider that can check against the vBulletin userid / password if anybody ever needs that.

Here's one I made for a couple of legues:

FOF Stage Uploader (http://www.catalystproductions.cc/pub/upload.zip)

It's a single file, upload.php, you'll need to edit the variables at the top but if you're familiar with PHP you should be able to figure it out. There are some comments about how to secure your upload directory to prevent anyone from being able to execute the uploaded files. It doesn't have any password protection (i.e. to prevent someone from uploading a file for another team) but again if you are PHP savvy you probably could easily add that.

All of a sudden overnight this stopped working. We're getting invalid password messages in two leagues on the same server. It almost has to be some sort of server-related thing, right? Any ideas as to what could cause this?

All of a sudden overnight this stopped working. We're getting invalid password messages in two leagues on the same server. It almost has to be some sort of server-related thing, right? Any ideas as to what could cause this?

Hm, must be a server-related change - although I'm not sure what they would have changed unless they downgraded PHP, there might be a security setting in PHP that would break that but I have no idea why they would turn that on if there is.

Try making a page "passwordtest.php" with the following content:


<?
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
if ($password == '') {
header('WWW-Authenticate: Basic realm="Password Test"');
header("HTTP/1.0 401 Unauthorized");
echo 'no password was passed to the script';
exit;
} else {
echo "Username: $username - Password: $password";
exit;
}
?>


then open it up in a browser. It should request a password and if you enter one, it should print the password to the screen. If it does, then I'm not sure why the upload script would not be working; but if it doesn't, you will probably need to contact your hosting provider's tech support and show them that script, and ask them why it's no longer working.

Did that, and it's doing the same thing I'm getting at WOOF/FOWL: just asking for username/password over and over again.

http://www.younglifenorthdekalb.com/woof/ben/passwordtest.php

Will you verify that it's doing that for you?

Did that, and it's doing the same thing I'm getting at WOOF/FOWL: just asking for username/password over and over again.

http://www.younglifenorthdekalb.com/woof/ben/passwordtest.php

Will you verify that it's doing that for you?

Yep, looks like the PHP script isn't receiving the password. This function was added in I think PHP 4.0.1 and it is very odd to me that it would have worked before and is no longer working. You probably should point tech support to that script and ask them why it's not working, obviously they made a change to the server configuration.

A couple thoughts - I don't have a lot of experience debugging this sort, but things that percolate something for someone:

As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode (http://us2.php.net/manual/en/features.safe-mode.php#ini.safe-mode) is enabled. Regardless, <var class="varname">REMOTE_USER</var> can be used to identify the externally-authenticated user. So, you can use <var class="varname">$_SERVER['REMOTE_USER'] (http://us2.php.net/manual/en/reserved.variables.server.php)</var>.

Could be this? Although I don't know why/how external auth would be set up.

Alternatively:

The <acronym title="Hypertext Transfer Protocol">HTTP</acronym> Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version.

Another limitation is if you're using the IIS module (ISAPI) and PHP 4, you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));Any chance the servers have been moved to IIS from Apache?

JDB can I hit you up via PM about the possibility of helping get your uploader reinstalled on Ben's sever for the USFL since when the host did their thing they crashed it with this error

Warning: Cannot modify header information - headers already sent by (output started at /services4/webpages/util/y/l/yldekalb.site.aplus.net/public/usfl/ben/upload.php:21) in /services4/webpages/util/y/l/yldekalb.site.aplus.net/public/usfl/ben/upload.php on line 120

Warning: Cannot modify header information - headers already sent by (output started at /services4/webpages/util/y/l/yldekalb.site.aplus.net/public/usfl/ben/upload.php:21) in /services4/webpages/util/y/l/yldekalb.site.aplus.net/public/usfl/ben/upload.php on line 121
Bad password.

JDB can I hit you up via PM about the possibility of helping get your uploader reinstalled on Ben's sever for the USFL since when the host did their thing they crashed it with this error

Check what version of PHP is running. I _think_ it has to be PHP >= 5.

What that looks like is that the password is not being sent properly to PHP.

Just doubled checked. It's PHP 5.

You'll probably have to look at the uploader.php script then - see what line it's referring to. Basically the "headers have already been sent" message means that there has been some sort of output before a header message. Depending on how you've adjusted the file for your league, it looks like that line is going to be around the place where it's sending the authentication header - check to make sure you don't have any stray output (like text or a blank line before the initial '&lt;?') - check line 21, that seems to be where it's referring to.

hmmm, Ill have to take a look from home when I can really focus as I definitely can do a lot of damage. How much do you charge for peeking in via FTP and fixing it if it's easy for ya :) {seriously}

You'll probably have to look at the uploader.php script then - see what line it's referring to. Basically the "headers have already been sent" message means that there has been some sort of output before a header message. Depending on how you've adjusted the file for your league, it looks like that line is going to be around the place where it's sending the authentication header - check to make sure you don't have any stray output (like text or a blank line before the initial '<?') - check line 21, that seems to be where it's referring to.

Weird. Keep in mind that I didn't change a thing in the script when the new servers went in place. Line 21 is just a quick echo statement with a new background color. I removed it, and that error is gone. But the "bad password" issue still remains. I'm sending it a password that I know should work from looking in the script.

Weird. Keep in mind that I didn't change a thing in the script when the new servers went in place. Line 21 is just a quick echo statement with a new background color. I removed it, and that error is gone. But the "bad password" issue still remains. I'm sending it a password that I know should work from looking in the script.

Yeah, an echo before the header statement will break it. Maybe it was configured differently before where it would buffer the output to the end of the script (that is an option in PHP which would avoid the error)

For the password, to make sure you are getting the correct data being passed, try echoing the variables in after "Bad Password", something like:

echo "<h1>Bad password.</h1>";
echo "<P>User: ".$_SERVER['PHP_AUTH_USER']."</P>";
echo "<P>Password: ".$_SERVER['PHP_AUTH_PW']."</P>";
echo "<P>Team Number: ".$passwords[$_SERVER['PHP_AUTH_PW']]."</P>";
exit;

That should give you some idea of where it's breaking (hopefully)

Will do...and in the meantime if you'll bump the correct thread, I'll move this line of posts into it. Nice goin', Flasch. ;)

Heh. Methinks it's passing it...nothing. The user/pass dialog just keeps coming up every time I enter anything. Finally when I hit cancel, of course I get nulls for everything...

User:

Password:

Team Number:

bump

Heh. Methinks it's passing it...nothing. The user/pass dialog just keeps coming up every time I enter anything. Finally when I hit cancel, of course I get nulls for everything...

User:

Password:

Team Number:

That would be a problem ... :eek:

Maybe before PHP was not running in safe mode and now it is? You didn't move from Apache to IIS on the server switch, did you? Gotta be something in the PHP config that changed. Might need to contact the server admin and see what he says. Show him that block of code and he should immediately know why it's not working.

I'll check with the admins. I don't know exactly what they did in the upgrade. I do know that everything is quite a bit faster. I filed a support ticket for this quite some time ago, but it was right in the middle of an upgrade where they'd lost hundreds of auto-increment values in my 10 databases alone, so they probably had bigger fish to fry at the time. ;)

Ben

Hear anything back about the PHP stuff from the admins?

As soon as I hear something worth reporting, you'll be the first to know.

Ben

I hate feeling like or sounding like a nag but I feel like Im the only league int he FOF universe without a working uploader. Is there anything that can be said or done to make it higher on the totem pole at the host in regards to their issues?

It doesnt seem to be taking the username or password and simply reasks for it. When clicking cancel this is what is seen

Bad password.

User:

Password:

Team Number:

Can I ask that JDB look in via FTP and would he be willing to troubleshoot it? I want to believe its something simple in the PHP but I dont know what it might be.

frustrated as you can tell since I missed a GM's file today.

thanks for helping when you have time.

Can I ask that JDB look in via FTP and would he be willing to troubleshoot it? I want to believe its something simple in the PHP but I dont know what it might be.

Nothing's gonna be able to be seen via FTP because the problem is in the server configuration. They probably have a setting in PHP that no longer allows the username and password to be passed to PHP. If they intentionally did this for a security reason and are unwilling to change it, then I'm sorry but you'll need to use a different uploader as I'm not really interested in changing the auth method. If it's a setting that got unintentionally set then they just need to be notified and change it.

If you know or want to experiment with PHP code, you probably could change it to accept the password in the upload form and bypass the HTTP authentication, it actually would be a fairly trivial modification. That will be an exercise for the reader :p

is there another uploader out there, as simple that could be installed on the site that would avoid the problem if theyre unwilling to fix it?

is there another uploader out there, as simple that could be installed on the site that would avoid the problem if theyre unwilling to fix it?

There's the old uploader we used to use in the vNFL community until Jon developed his. I probably still have a copy around.

Send me an email ([email protected]) if you think it would help and I'll pass it along.



Cheers,
-Bear