[PHP] OpenWallFTP - Online FTP Tool

Hi, i have recently been coding on a project!
A online FTP Site.
This site is just like filezilla, except that its Online and no software is needed!
When you have logged in you can:
Edit your files via a web-based text editor.
You can edit file names.
You can upload files up to 50MB at a time!
The uploads is nothing with the site speed.
Its normal upload with your Upload Speed!

In the next version i will:
Fix Bugs!
Upload Speed Booster (x1 - x2 - x3)
Multiple Uploads with Boost
And much more!

If you got any ideas to next version then please post them here!
If you find any bugs while using this online ftp please report them to me via PM or Comment to the thread please


PS:
Site can be down sometimes cause of some Major updates
Then please keep updated!

 

UPDATE:
Managed to make the Upload faster 1x
Made some speedhacks in the php files.
Made the code shorter ect.
Hope someone will try it and find bugs

 

I seen a few implementations of a web-based FTP client. I usually recommend all my clients stay away from them for security reasons.

 

This is 100% secured.
I have also coded a MD5 and Sha1 secure system.
When the password is encrypted with the 2 encryptions it also get again encoded with base64.
Then its like the best Security!
You password will only be needed 1 time when it login after that it gets encrypted and encoded!

 

Base64encode() is reversed with Base64decode(); so it's hardly a security feature (its designed to encode binary data into an ascii readible string so that it can be transmitted either in email or other formats without corrupting the data).

Also the password is unencrypted when its in transit to your server and until the php side of things hashes it. But it needs to have the raw password in order to log into the targeted FTP server. So that means the password obviously is either not encrypted/encoded, or has a way of being decoded otherwise it wouldn't be able to connect to the target server. And since you can't reverse an MD5 hash, then the password must be stored in an easily decodable format on your database for people to only need to enter it once.

Either way, your service may be quite convenient (sp?), but for any sites with sensitive materials or used for one's buisness, it just add another layer of potential compromise.

 

I can post the Ecryption php here if you want!
Here:

// -------------------------------------------------------------------------
// POST variables (from forms)
// -------------------------------------------------------------------------
$input_ftpserver =             $HTTP_POST_VARS['input_ftpserver'];
$input_ftpserverport =         $HTTP_POST_VARS['input_ftpserverport'];
$input_username =              $HTTP_POST_VARS['input_username'];
$input_password =              $HTTP_POST_VARS['input_password'];
$input_language =              $HTTP_POST_VARS['input_language'];
$input_skin =                  $HTTP_POST_VARS['input_skin'];

Code (markup):

Part 2:

// -------------------------------------------------------------------------
// POST variables (from forms) - Part 2
// -------------------------------------------------------------------------
$input_ftpserver2 =            $HTTP_POST_VARS['input_ftpserver2'];
$input_ftpserverport2 =        $HTTP_POST_VARS['input_ftpserverport2'];
$input_username2 =             $HTTP_POST_VARS['input_username2'];
$input_password2 =             $HTTP_POST_VARS['input_password2'];

$openwall_ftpserver =           $HTTP_POST_VARS['openwall_ftpserver'];
$openwall_ftpserverport =       $HTTP_POST_VARS['openwall_ftpserverport'];
$openwall_username =            $HTTP_POST_VARS['openwall_username'];
$openwall_password_encrypted =  md5($HTTP_POST_VARS['openwall_password_encrypted']);
$openwall_password_encrypted2 = sha1($openwall_password_encrypted);
$openwall_language =            $HTTP_POST_VARS['openwall_language'];
$openwall_skin =                $HTTP_POST_VARS['openwall_skin'];

$openwallcookie_ftpserver =     $HTTP_COOKIE_VARS['openwallcookie_ftpserver'];
$openwallcookie_ftpserverport = $HTTP_COOKIE_VARS['openwallcookie_ftpserverport'];
$openwallcookie_username =      $HTTP_COOKIE_VARS['openwallcookie_username'];
$openwallcookie_directory =     $HTTP_COOKIE_VARS['openwallcookie_directory'];
$openwallcookie_language =      $HTTP_COOKIE_VARS['openwallcookie_language'];
$openwallcookie_skin =          $HTTP_COOKIE_VARS['openwallcookie_skin'];

Code (markup):

As you can see there is nothing wrong with that code.
And also as you can see the password gets encrypted at the end when there is no use of them.
Also i have made a cookie system and that is why it cant remember password!
Because of when the pass is encrypted it cant login with a code like 0af15a6aasdf4566aafdfdfsa3000 or something.

Thanks, Beginn3R
Also did saw you base64decode(); thing and deleted it

EDIT:
Found something wrong xD
Fixed it:

$input_ftpserver =             $HTTP_POST_VARS['input_ftpserver'];
$input_ftpserverport =         $HTTP_POST_VARS['input_ftpserverport'];
$input_username =              $HTTP_POST_VARS['input_username'];
$input_password =              $HTTP_POST_VARS['input_password'];

Code (markup):

That is the bug, it still remember the old password.
Then i made now when they have logged in and no more needed for password it automatic change the values to like:

$input_ftpserver =  "";
$input_ftpserverport = "";
$input_username = "";
$input_password = "";

Code (markup):

 

The main flaw I see in your logic here is that you mention two things here.

1) They don't need to enter their user name and password again.
2) The password is hashed twice (non-reversible)

Here's why its a problem when the two are combined.
The users don't need to enter their username/password again, because the username and password are being stored either in a database and so forth. And since you cannot reverse a hash, those values have to be in your database unencrypted.

hashing the variable while another variable remains unhashed does absolutely nothing in terms of security.

Unless the users are logging on to a server with a valid SSL certificate, the communication between the user and your server is unencrypted, so passwords sent via the form could possibly (though unlikely) be intercepted.

Clearing the variables at the end does nothing useful when you consider php destroys the variables anyways when a script times out (besides unset() is the proper way to do it). And the passwords are still in memory unencrypted during the entire usage of the script.

And the final point would be... it requires trusting someone you don't know. For all we know passwords are probably being collected into a little database, so doesn't matter how much you encrypt password, or promise 100% secured access (there's no such thing).

IF your setup was like wordpress, the passwords would be stored in the database hashed, and then when the user logged on, it would compare the submitted password (hashed) against the already saved hash. But in this case you can't do that because you need the password unhashed in order to send it to the FTP server for connection. As a result unless the user is providing their password every time they have to log onto the site, their passwords are being saved somewhere insecurely despite what you say.

I honestly wouldn't be giving you as hard a time about this, if you had not said your script was 100% secure.

 

Dude, They do need to enter the password again.
Im not stupid to save the password in my database.
Thats what i said in my last post.
They dont need to enter username cos cookie but they need to enter password.
Im not stupid to save the password

 

Hi,

It says on your page it's a "OpenWallFTP is a Net2FTP Modification" what's the difference between your application and Net2FTP?

What features have you "modified" and added to yours? you've presented us a project but told us nothing about what it can do.

I won't be entering my details, it's nothing personal but you don't go around trusting unknown sites with username/passwords.

The only way you can get people to use it is to provide it open source and let the users run the code for themself (which is what Net2FTP is)

 

I have. Please check all my posts in this thread.
First i have added a speedhack for uploading big files.
The second is i have made the system more secure (Encoded, encrypted password and more)
I have also edited a little in the html editor.
I have fixed some bugs from the original Net2FTP.
I have also made some more in it!

 

I don't know why you intend to mislead users on this forum. I entered an ' in the password and it gave me an SQL error (which isn't even escaped).

Der er en fejl i SQL syntaksen nær 'word', 'lols', '21')' på linje 1

Code (markup):

Which is proof that it saves the password UNENCRYPTED to the database (poorly I may add), which you have been insisting that it doesn't.

I recommend that anybody that has used this application to change their FTP server passwords straight away.

Regards,

Steve

 

Sheesh if you got the error to show up on the screen, just imagine what would have happened if someone did a SQL injection attack on his site to show the list of usernames and passwords. A query with unsecured inputs is very easy to exploit, so that just shot the 100% secure comment of the water big time (if my comments hadn't already)

EDIT:
Not even sure why someone would need to save a user's log in into the database, since sessions could hold onto those values til the user is done (Since its apparent they gota enter username/pass each time they visit the site). That being said, and this is only a speculative theory... free service, all nice and such, promises 100% security... but stores user names and passwords unencrypted into a database when it doesn't need to for the functionality of the site... couple days or week later the user somehow finds that all their pages are getting iframes and such auto injected into their index.php and other files on their FTP account. But like I said, purely speculative.

 

so busted.

 

Why you lie
When you enter ' then you get:
Der er en fejl i SQL syntaksen nær '21')' på linje 1
That means there is a sql error, where the server want the port :S
Then stop lieing...

 

So the server wants a port, which is entered by default and you receive an SQL error? LOL

You can see the PASSWORD AND USERNAME in the SQL query....

Since you've probably already altered the code it's a good job I had a screenshot of it as well, which I will happily send anyone who want's to see.

I have no reason to lie, I just don't like other users being exploited.

Oh, and the full query error was:

Der er en fejl i SQL syntaksen nær 'word', 'lols', '21')' på linje 1

Code (markup):

Of which, "password" was the password and "lols" was the username (the port is there just fine lol...).

 

He doesn't lie, hey look if I put a ' in the server...

see... the password I entered is being inserted into the database unencrypted. Now... why would you need to save the user name and password unencrypted if you're requiring the users to enter their login each time they visit the site.

Maybe it's just an "inconvenience of truth", like when you said "When the password is encrypted with the 2 encryptions it also get again encoded with base64. Then its like the best Security!"

 

First of all, learn danish.
Also Prove it that i got logs in my mysql :S
I can give you the source of whole the site.
Then stfu

 

Don't need to learn danish, we already know its a SQL error saying that there is a problem "near".

You're a dumb one aren't you. The SQL error revealed a part of a Query string, that query string contained within the FTP credentials (server, username, password, port), none of the credentials were encrypted going into the database.

before or after modifying them. Even if you were a trustworthy person, the fact alone that you didn't escape your inputs makes your site very insecure, because of that someone could have performed a SQL injection and outputed the entire list of usernames and password. So... 100% secure my ass...

Also for you to immediately claim someone lied about an error that was so plainly seen, makes your case even more suspicious.