Skip to content
This repository was archived by the owner on Dec 6, 2019. It is now read-only.

Commit 98f4db9

Browse files
committed
Merge pull request #116 from DavidJClark/dev
Patch for exploit in ofc_upload_image.php
2 parents 2c78147 + 18d2935 commit 98f4db9

File tree

1 file changed

+74
-0
lines changed

1 file changed

+74
-0
lines changed
Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
<?php
2+
3+
//
4+
// In Open Flash Chart -> save_image debug mode, you
5+
// will see the 'echo' text in a new window.
6+
//
7+
8+
/*
9+
10+
print_r( $_GET );
11+
print_r( $_POST );
12+
print_r( $_FILES );
13+
14+
print_r( $GLOBALS );
15+
print_r( $GLOBALS["HTTP_RAW_POST_DATA"] );
16+
17+
*/
18+
19+
exit(); // NS
20+
21+
// default path for the image to be stored //
22+
$default_path = '../tmp-upload-images/';
23+
24+
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
25+
26+
// NS
27+
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_URL);
28+
// full path to the saved image including filename //
29+
$destination = $default_path . basename( $_GET[ 'name' ] );
30+
31+
echo 'Saving your image to: '. $destination;
32+
// print_r( $_POST );
33+
// print_r( $_SERVER );
34+
// echo $HTTP_RAW_POST_DATA;
35+
36+
//
37+
// POST data is usually string data, but we are passing a RAW .png
38+
// so PHP is a bit confused and $_POST is empty. But it has saved
39+
// the raw bits into $HTTP_RAW_POST_DATA
40+
//
41+
42+
// NS - commented out
43+
/*$jfh = fopen($destination, 'w') or die("can't open file");
44+
fwrite($jfh, $HTTP_RAW_POST_DATA);
45+
fclose($jfh);*/
46+
47+
//
48+
// LOOK:
49+
//
50+
exit();
51+
52+
53+
//
54+
// PHP5:
55+
//
56+
57+
58+
// default path for the image to be stored //
59+
$default_path = 'tmp-upload-images/';
60+
61+
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
62+
63+
// full path to the saved image including filename //
64+
$destination = $default_path . basename( $_FILES[ 'Filedata' ][ 'name' ] );
65+
66+
// move the image into the specified directory //
67+
if (move_uploaded_file($_FILES[ 'Filedata' ][ 'tmp_name' ], $destination)) {
68+
echo "The file " . basename( $_FILES[ 'Filedata' ][ 'name' ] ) . " has been uploaded;";
69+
} else {
70+
echo "FILE UPLOAD FAILED";
71+
}
72+
73+
74+
?>

0 commit comments

Comments
 (0)