I forgot to add this in my instructions

it is just about cp_vars_misc.pl part in instructions.


Thanks again

the zip is updated

<FONT COLOR="#000000" SIZE="1">[ May 06, 2001 07:41 AM: Message edited by: ELY_M ]</font>

hi ely,

nice work

but i got a little problem

the upload window shows me an error

do you have any clue why i can't see the upload window?

<FONT COLOR="#000000" SIZE="1">[ May 08, 2001 08:53 AM: Message edited by: cdr700 ]</font>

I got 500 internal error.

I have no idea, but

you need to make sure the perl path is correct.

Which ubb files you are using on your server.

normal or local files ?


make sure you upload the upload files in ASCII mode in your ftp client.

make sure you chmmod the upload files and the upload folder to 777.

Looking good ELY_M

BTW, What happens if the user uploads .htpasswd and .htaccess files?

hi ely

i'm using normal files on my server

and i changed mod to 777 upload and the 2 cgi files

could it be that my server does not support if somebody tries to upload something??

but thanks anyways this hack is really cool
i can configure it in cp but it won't work

ok i think i need to work it out

if you got some clues plz tell me

Another thing, you can disable uploads in some forums, but if the user enters cgi-bin/upload_form.cgi, it will upload anyway; also unregistered users can upload, and I don't think I can disable it; and the same thing if I want only admins/mods.
What you can do is make it ultimatebb.cgi?ubb=upload_form (and to not make it confusing I think you should make the upload_form.cgi be ubb_upload_form.cgi and the other one ubb_upload.cgi), and then it will have all login information.
Also, when you'll do it, the CGI path will be in $vars_config{CGIPath} or something like that, so you can just make it automatically $vars_config{CGIPath}/uploads.

Now, your script doesn't work if Variables Path is different than cgi-bin; it will also be fixed after you'll do it if you'll do $vars_config{VariablesPath}.

<FONT COLOR="#000000" SIZE="1">[ May 07, 2001 10:11 AM: Message edited by: LK ]</font>

hi again,

i found the problem

your path in upload_form.cgi

is #!/usr/bin/perl5

my is #!/usr/bin/perl


so it didn't match and i changed it and now it works

great work man

Thanks to LK again.

I added the CP hack that an Admin can decide if he or she wants to allow unregistered users to upload.

I also added some new codes and did recoding for the new topic and reply and pm forms.


The zip is updated.

ELY_M du you thing i have a chance to install it in a older Version of the UBB 6.x? I will test it but when you say no chance ..... that i don't install it!

Sorry for my English

SkipperII

Skipper II: Please read the instructions carefully. I have placed some instructions for people who want to keep older ubb versions.

I think you should upgrade your board to ubb 604d. It has more better security fixes than previous versions.

<FONT COLOR="#000000" SIZE="1">[ May 09, 2001 12:14 AM: Message edited by: ELY_M ]</font>

Hello,

thank you i had a older File of your Upload hack! The New File Descrition for older UBB is very good! But i have one Problem all works in CP but when i save the Miscellaneous Settings, the Forum dosen't work the error is:


Any Idea?

SkipperII

<FONT COLOR="#000000" SIZE="1">[ May 10, 2001 02:55 PM: Message edited by: SkipperII ]</font>

ELY: I think you should make that files have a random name, like a368dq46.jpg (8 random letters/numbers).

Reasons:
<OL TYPE=a>

[*]If somebody posts something and I post another one with the sane name, it will overwrite the old one, and if it sucks they will blame the first one.

[*]Files like .htpasswd can cause a security risk, so now it will be a456f34g.htpasswd, which I think it's okay.
</OL>

If you choose to do it, just make sure the file doesn't already exist, because there can be even 2 random things that are the same.


If you think it's too ugly/dumb for you, make directories by the member number, like /cgi-bin/00000001/file.ext, and guests have 00000000; but I think it's worse, because of the guests and some other reasons I forgot


LK.

@ELY_M

all the entrys of your hack in the vars_misc.cgi (After the when i Save the Settings in CP) beginn with and end with dosen't work and give this Error:


The chmod is ok!
The Perl is ok
The hack is corecked added (i hope)!

Can you help me?

SkipperII

<FONT COLOR="#000000" SIZE="1">[ May 11, 2001 02:44 PM: Message edited by: SkipperII ]</font>

Possible big security risk?

When I specify that I want only jpg files to be uploaded, then go to post a file, such as regedit.exe, it says in the window that such a filename is not acceptable to upload, however it still uploads it to the directory.. So it wouldn't take much figuring out to upload a file and then find the url to get to it...

Ok, I changed some of the script, and seems to be working now.... here is what i did:

In upload.cgi

Find:



and move it directly under the lines:




Then find:



and replace it with:




This should make the script check the file type first, before uploading it.

As well, it will also generate a random filename so that one file upload will not overwrite one that is already in the directory.

I am pretty new at CGI, so someone may want to take a look at it..

yeah, need to add some code so the file wont be uploaded.

<FONT COLOR="#000000" SIZE="1">[ May 11, 2001 07:47 PM: Message edited by: ELY_M ]</font>

MarkMac: Thanks for helping out with the security and file name thing.

Sorry, It took some time for me to read everything in here.

The only thing that I can see is a problem with what I did is that if someone uploads a file like joe.blow.jpg, then it will reject the file, because it thinks the file extension is .blow...... someone may be able to correct this for us tho... As I said, I am pretty green at CGI.

Cheers

@ELY_M

you have no idea to my problem with the vars_misc.cgi entrys?


SkipperII