str_replace

[black-ops]

Hey all, I am testing out my friends website atm however I noticed that within his image file upload he has screwed up the section where he gets to rename it.

For instance:
You upload a file in the admin menu and have to give it a name.
so file name might be x.jpg he's done it so you have to rename the file upon upload. so let's say that I call it x again. thats all fine
however in the management tab you can delete the image or rename it.
If you choose to rename the image it replaces anything like %00 / with a different value (str_replace), so after testing around I found out that I can change the location of his images by going: \..\..\..\image.jpg
which now will not be displayed in the list of uploaded files. He wants to fix it yet I am not quite sure what is going on, I know he displays his code within a loop (for displaying the images) or so he says. Any ideas? or even possibly how to fix the \..\..\, i tried using a null byte on his site upload so for instance:

maliciousScript.php%00.jpg and thats fine it gets turned to maliciousScript.php_.jpg

yet as previously mentioned if an ordinary image rename is changed to \..\..\..\ then it screws up.

thanks.

 

[suarve]

For the paths it could be some sort of setting for relative paths. I know in tiny_mce you can set your base path or turn of relative paths altogether.

The slashes and character replacing, there is mostl likely some sort of input filtering going on - wiouyld need to see your code. Magic quotes could also be on:

if(get_magic_quotes_gpc()) {
        $data = stripslashes($_POST['pageContent']);
    } else {
        $data = $_POST['pageContent'];
    }

 

[black-ops]

ok, cheers dude that apparently helped him,

again thanks for the help =)

He had never used magic quotes apparently and did it all manually but like you said without seeing code it's impossible to say =P