That is going to give some problems.
You will have to build a page in the admin section to whitelist IPs for uploading?
That does not sound like the step that should be taken to make it safe for clients again. Who wants to keep updated IP whitelists on his simple website? I wouldn’t.
I agree. Honestly, i just need to change GS to use what
Head said, and i can use the same function that the rest of the pages use for cookie checking.
First - excuse my English - I am Bulgarian. My story - testing only jquery.uploadify-v2.1.0 - the problem exists. So - edit upload-ajax.php then - perhaps not the most correct way - sidebar-files.php - form id="foo" and now everything is OK except for multiple file uploads. And now I'm happy. GetSimple is OK.
![[Image: test.jpg]](http://www.mamula.co.cc/data/uploads/test.jpg)
@
PRAG, normally you would only need to edit
upload-ajax.php, so what did you change in the sidebar?
Hi!
I am an artist and my computer skills are relatively small - still learning. Here's what I do.
This is jquery.uploadify.v2.1.0.js example on local computer /WAMP - default setings/ everything is OK.
![[Image: http_localhost_example.jpg]](http://www.mamula.co.cc/data/uploads/http_localhost_example.jpg)
But when I try it on a remote computer, where my site is - this is what I see . . .
![[Image: www_vrachev_example.jpg]](http://www.mamula.co.cc/data/uploads/www_vrachev_example.jpg)
So I just ignore jquery.uploadify, removing the ID which call the plugin
Code:
<form id="OTHER ID - NOT MAINFTP" class="fullform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" enctype="multipart/form-data">
<p><input type="file" class="text" name="file" id="file" /></p>
<p><input type="submit" class="submit" name="submit" value="<?php echo $i18n['UPLOAD']; ?>" /></p>
</form>
There is no AJAX, but I can upload files, what is more important to me.
True, it is like Pogodo
said, if you don’t use the AJAX function it will work. But in that case you don’t need to edit
upload-ajax.php at all.
Absolutely true, but when I edit upload-ajax.php, I did not know that this will not solve the problem. My question is, what is the proper way to stop use AJAX function.
The correct way would be to just take away Uploadify completely. You disabled it by changing the ID on the form, this might lead to some Javascript errors depending on how Uploadify works (can’t be bothered to check it right now) but is a way to disable it.
Uploadify is what needs AJAX, without it you won’t need upload-ajax.php at all so you could remove it. Removing that file will also remove the current security risk that is involved.
I'm sorry but File Uploading still is not working. Ver of CMS GetSimple 1.71
I was trying all suggestions from this thread but it not working
Please Help me...
nikifor Wrote:I'm sorry but File Uploading still is not working. Ver of CMS GetSimple 1.71
That’s right. To be fair, it was version 1.71 that broke uploading. Version 1.7 will work, but has a security issue that gives everyone the ability to upload files to your server. Neither of them is very good.
nikifor Wrote:I was trying all suggestions from this thread but it not working
Did you try editing the
sidebar-files.php file and taking out Uploadify? (
As done by PRAG.) Because that is where the current problem lies. I’ll get a fix for that uploaded later tonight (CET) or tomorrow I guess, because it seems to be a big problem for so many people.
Zegnåt Wrote:I already contacted Chris about this before (Email sent: Nov 7, 2009 8:00 AM).
It seems to again be a problem with certain servers only. Could everyone post back with what server environment they are using?
I'm running WampServer Version 2.0
Apache 2.2.11
PHP 5.2.8
Don't seem to have upload problems with GS 1.7
hi Zegnåt we have the same server environment
WampServer Version 2.0
Apache 2.2.11
PHP 5.3.0
but i've got the same problem with threads .....?
internet54 Wrote:For the file upload issue, it is this code that breaks it.
Code:
if (basename($_SERVER['PHP_SELF']) == 'upload-ajax.php') {
die('You cannot load this page directly.');
}
I can delete that code and replace it with a .htaccess file restriction and it works like a charm.
The problem with that is that newbies would have an issue trying to figure it out.
Wow I couldn't belive that there are people who actually try this without thinking.
Thx to this "workaround" I found 3 (!) get Simple sites within 10 minutes I could easily hack thanks to this unlimited upload script and the script breaker removal.
ccagle8: You should definitely do something about this issue. A session verification is the absolute minimum which has to exist in this script.
When i've time tomorrow, I'll hack it myself (if you didn't fix already)
2.0 beta is out and it's stable enough for any production site in my opinion, but we are still testing a few things. I expect 2.0 to be cut in a few days.
BTW: even though 1.71 broke the upload, it did prevent the vulnerability, so while 1.71 didn't upload exactly well, it was safe.
I suggest you remove any suggestion for using this workaround regardless of the context out of this forum, since many many people find this via google and think "hey my upload is working" but opening a very critical security flaw for anyone who is aware of this and knows how to abuse it.
And think of an uploadscript who uploads everything you send it! The script doesn't even bother which extension it is!
You could have at least excluded *.php or *.sh files from being uploaded :/
_dp Wrote:I suggest you remove any suggestion for using this workaround regardless of the context out of this forum, since many many people find this via google and think "hey my upload is working" but opening a very critical security flaw for anyone who is aware of this and knows how to abuse it.
But, you can’t upload with 1.71 or later any more. The most discussed workaround here is to take away the AJAX option all together, which will still keep it safe. So what exactly should we take away?
_dp Wrote:And think of an uploadscript who uploads everything you send it! The script doesn't even bother which extension it is!
You could have at least excluded *.php or *.sh files from being uploaded :/
I don’t agree. I’ve actually uploaded a couple of PHP files through the upload sextion already, just so I didn’t have to get on a FTP when I was away from my own computer. Are there many CMS systems that don’t allow uploading PHP files that you know of?
_dp Wrote:internet54 Wrote:For the file upload issue, it is this code that breaks it.
Code:
if (basename($_SERVER['PHP_SELF']) == 'upload-ajax.php') {
die('You cannot load this page directly.');
}
I can delete that code and replace it with a .htaccess file restriction and it works like a charm.
The problem with that is that newbies would have an issue trying to figure it out.
Wow I couldn't belive that there are people who actually try this without thinking.
Thx to this "workaround" I found 3 (!) get Simple sites within 10 minutes I could easily hack thanks to this unlimited upload script and the script breaker removal.
ccagle8: You should definitely do something about this issue. A session verification is the absolute minimum which has to exist in this script.
When i've time tomorrow, I'll hack it myself (if you didn't fix already)
The .htaccess method is safe as long as you know what your doing.
I found some tips to fix this issue for those who updated ver. 1.x to 2.0. I believe that from ver. 2.0 "gsconfig.php" is required in document root but update instruction is missing this point.
1. If you are updating ver 1.x into ver. 2.0, don't forget to upload "gsconfig.php" in document root.
2. If you still have trouble with uploading files (even with "gsconfig.php"), try to uncomment the line 23 to use Uploadify:
Quote:define('GSNOUPLOADIFY', 1);
For me, Uploadify is working just fine.
I wanted to interject some information on this from a user standpoint. This is my first run with the CMS and I like it as a simple clean alternative for my people who are scared of the word "website" or on a nasty shared hosting plan.
I am evaluating GS for use in a project and could not locate the "Upload File" button in the File Management page. I thought it may be a bug and was about the abandon the eval when better judgement kicked in. I was performing the eval using Chrome 5 so I opened it up in FF 3.6 and BAM! There was the button. I check the other A-browsers and it was there as well except Safari and IE did have a lag in displaying the button text.
I just wanted to bring this up since Chrome is fairly new to the scene, but I am sure it will grow in share as people will like the "social app" feel to it...and the speed.
BRen13 Wrote:could not locate the "Upload File" button in the File Management page.
I've just tested that with Chrome 5 and IE8. The button is there, and lets me upload files, just like with FF.
Only found a small catch with IE8: after I upload a file (GS 2.01), the file list is not refreshed (until I click on the Files tab or reload the page). However, this doesn't happen with the development version (2.02), so it seems it's been fixed.
No 'Upload File' button for me in IE 6-8 (development version r164). Does no one else have this problem? I know the Flash isn't being blocked as it works in Chrome and Firefox. Without the Flash upload enabled the file input box is too wide (that just need a CSS fix - removing `class="text"` from `sidebar-files.php`).
Hello all,
I have made a fresh install of the last 2.01.
Everything is working fine except the upload.
When I upload a file I could see the progress bar growing from 0% to 100% but the uploaded file is never saved on the server.
I have checked the permissions attribute and set the permissions for data and upload to 777 (just for test).
Does anyone have any idea ?
Thanks in advance.
kpa
I have the same problem with you.I can't upload any image too
I can browse for file but there is no SUBMIT button below BROWSE form.
Sam - Ive updated the SVN with that class removal. Thanks
Hi
When I install GetSimple 2.01 on WAMP's www directory file upload works but when I install it somewhere else using alias file upload does not work any more. Any idea?
Best wishes