Mime Check Bypass Need To Be FIXED...need help...and login problem...

Discussion in 'PHP' started by xDragonZ, Jun 12, 2009.

0
  1. #1 
    <?
function new_picture_size($max_w, $max_h, $path){
	$size = getimagesize($path);
	$w = $size[0];
	$h = $size[1];
	if($w <= $max_w && $h <= $max_h) $s = array(0=>$w, 1=>$h, 2=>$w, 3=>$h);
	else {
		if($w >= $h){
			if($w > $max_w){
				$new_w = $max_w;
				$new_h = ceil(($new_w * $h) / $w);
			}
			if($h > $max_h){
				$new_h = $max_h;
				$new_w = ceil(($new_h * $w) / $h);
			}
		} else {
			if($h > $max_h){
				$new_h = $max_h;
				$new_w = ceil(($new_h * $w) / $h);
			}
			if($w > $max_w){
				$new_w = $max_w;
				$new_h = ceil(($new_w * $h) / $w);
			}
		}
		$s = array(0=>$new_w, 1=>$new_h, 2=>$w, 3=>$h);
	}
	return $s;
}

function make_square($max, $dir, $file){
	$path = $dir."/".$file;
	$newpath = $dir."_mini/".$file;
	$size = getimagesize($path);
	$w = $size[0];
	$h = $size[1];
	if($w > $max_w || $h > $max_h) {
		if($w > $h){
			$neww = ($w * $max) / $h;
			$newh = $max;
		} else {
			$newh = ($h * $max) / $w;
			$neww = $max;
		}
		$oldpic = imagecreatefromjpeg($path);
		$newpic = imagecreatetruecolor($neww, $newh);
		imagecopyresampled($newpic, $oldpic, 0, 0, 0, 0, $neww, $newh, $w, $h);
		imagejpeg($newpic, $newpath, 100);
		imagedestroy($oldpic);
		imagedestroy($newpic);

		$size = getimagesize($newpath);
		$w = $size[0];
		$h = $size[1];

		if($w > $max) $x = round(($w - $max)/2);
		else $x = round(($max - $w)/2);
		if($h > $max) $y = round(($h - $max)/2);
		else $y = round(($max - $h)/2);
		$oldpic = imagecreatefromjpeg($newpath);
		$newpic = imagecreatetruecolor($max, $max);
		imagecopyresampled($newpic, $oldpic, 0, 0, $x, $y, $w, $h, $w, $h);
		imagejpeg($newpic, $newpath, 100);
		imagedestroy($oldpic);
		imagedestroy($newpic);
	}
	return $s;
}

function resize_picture($w, $h, $picture, $format){
	$format = str_replace(".", "", $format);
	switch(strtolower($format)){
		case "jpg":
			//$th_size = new_picture_size($w, $h, $picture);
			$oldpic = imagecreatefromjpeg($picture);
			$newpic = imagecreatetruecolor($w, $h);
			$size = min(imageSX($oldpic), imageSY($oldpic));
			$offsetX = (imageSX($oldpic) - $size) / 2;
			imagecopyresampled($newpic, $oldpic, 0, 0, $offsetX, 0, $w, $h, $size, $size);


			imagejpeg($newpic, $picture, 100);
			imagedestroy($oldpic);
			imagedestroy($newpic);
			break;
		case "jpeg":
			$oldpic = imagecreatefromjpeg($picture);
			$newpic = imagecreatetruecolor($w, $h);
			$size = min(imageSX($oldpic), imageSY($oldpic));
			$offsetX = (imageSX($oldpic) - $size) / 2;
			imagecopyresampled($newpic, $oldpic, 0, 0, $offsetX, 0, $w, $h, $size, $size);
			imagejpeg($newpic, $picture, 100);
			imagedestroy($oldpic);
			imagedestroy($newpic);
			break;
		case "png":
			$oldpic = imagecreatefrompng($picture);
			$newpic = imagecreatetruecolor($w, $h);
			$size = min(imageSX($oldpic), imageSY($oldpic));
			$offsetX = (imageSX($oldpic) - $size) / 2;
			//$offsetY = (imageSX($oldpic) - $size) / 2;
			imagecopyresampled($newpic, $oldpic, 0, 0, $offsetX, 0, $w, $h, $size, $size);
			imagepng($newpic, $picture, 9);
			imagedestroy($oldpic);
			imagedestroy($newpic);
			break;
		case "gif";
			$oldpic = imagecreatefromgif($picture);
			$newpic = imagecreate($w, $h);
			$size = min(imageSX($oldpic), imageSY($oldpic));
			$offsetX = (imageSX($oldpic) - $size) / 2;
			//$offsetY = (imageSX($oldpic) - $size) / 2;
			imagecopyresampled($newpic, $oldpic, 0, 0, $offsetX, 0, $w, $h, $size, $size);
			imagegif($newpic, $picture, 100);
			imagedestroy($oldpic);
			imagedestroy($newpic);
			break;
	}
}

function upload_avatar($file_field, $uid){
	if(is_file("profile_images/$uid.jpg")) unlink("profile_images/$uid.jpg");
	if(is_file("profile_images/$uid.jpeg")) unlink("profile_images/$uid.jpeg");
	if(is_file("profile_images/$uid.gif")) unlink("profile_images/$uid.gif");
	if(is_file("profile_images/$uid.png")) unlink("profile_images/$uid.png");

	if(is_uploaded_file($_FILES[$file_field]['tmp_name'])){
		$size = getimagesize($_FILES[$file_field]['tmp_name']);
		$mime = $size['mime'];
		if($mime != "image/png" && $mime != "image/jpeg" && $mime != "image/gif") return false;
		if($_FILES['userfile']['size'] > 1048576) return false;
		$size = getimagesize($_FILES[$file_field]['tmp_name']);

		$parts = explode(".", $_FILES[$file_field]['name']);
		$last = count($parts) - 1;
		$ext = $parts[$last];
		$filename = $uid.".".$ext;

		move_uploaded_file($_FILES[$file_field]['tmp_name'], "profile_images/$filename");
		chmod("profile_images/$filename", 0777);
		resize_picture(60, 60, "profile_images/$filename", $ext);

		//create 25x25 thumbnail
		copy("profile_images/$filename", "avatars/$filename");
		resize_picture(25, 25, "avatars/$filename", $ext);

		//update the user's avatar filename in the database
		$db = new database;
		$db->dblink();
		$db->db_update("users", "avatar='$filename'", "id=$uid");
		return $filename;
	}
}

function get_ext_from_mime($mime){
   switch($mime) {
       case "image/jpeg":
           return "jpg";
       break;
       case "image/jpg":
           return "jpg";
       break;
       case "image/gif":
           return "gif";
       break;
       case "image/png":
           return "png";
       break;
   }
}
?>
    PHP:
    User are able to bypass the mine check..
    file Input Validation bypass

    [Mime Check Bypass]:
    ----------
    GIF89aP;
    [php_shell_code]

    so any one know how to fix this......


    ------------------------------------------------------------------
    and i have a login proble..

    //login a user
if($_POST['login']){
		//hash password
		$temp = $post['pass'];
        $hashed = md5(sha1($temp));
    $result = $db->get_recs("users", "*", "(username='{$_POST['user']}' or email='{$_POST['user']}') and pass='$hashed' and new=0");
    $how_many = $db->count_recs($result);
    if($how_many != 0) {
        $rec = $db->fetch_objects($result);
        $_SESSION['user'] = new user($rec[0]);
        $_SESSION['user_id'] = $_SESSION['user']->id;
        if($_POST['remember_me']){
            setcookie("login_user", $_SESSION['user']->username, time() + 86400 * 60);
            setcookie("login_pass", $_SESSION['user']->$hashed, time() + 86400 * 60);
        }
        unset($_SESSION['logged_out']);
        header("Location: profile/{$_SESSION['user']->username}");
    } else {
	//$result = $db->get_recs("users", "*", "(username='{$_POST['user']}' or email='{$_POST['user']}') and pass='{$_POST['pass']}' and new=1");
	    $result = $db->get_recs("users", "*", "(username='{$_POST['user']}' or email='{$_POST['user']}') and pass='$hashed' and new=1");
        $how_many = $db->count_recs($result);
        if($how_many != 0){
    PHP:
    The user are able to login the account..by just user username...even wrong password they can login...so anyon know how to fix?
     
    xDragonZ, Jun 12, 2009 IP
  2. juust

    juust Peon

    Messages:
    214
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #2
    about the login :
    1) the hashing fails :
    $post['pass'] should be $_POST['pass']

    2) about the query
    your query tests for a
    "match username "
    OR
    "match email and pass"

    the 'and pass...' statement should be in both clauses,
    now any valid username passes the test.
     
    juust, Jun 13, 2009 IP