HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Tips/Tricks/Mods (http://www.howtoforge.com/forums/forumdisplay.php?f=29)
-   -   FTP Backup manager (http://www.howtoforge.com/forums/showthread.php?t=52466)

ncoc.nl 27th April 2011 14:10

FTP Backup manager
 
5 Attachment(s)
Hi everyone,

Because of the mirror issues as written in http://www.howtoforge.com/forums/showthread.php?t=52341 I started a new little project based on Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Debian Etch.
The installation instruction are for Debian Etch but works also for Debian Lenny.

I created a web interface for the FTP Backup server so phpmyadmin is not needed anymore, the interface and ftpserver is tested for several days and seems bug free.

Follow the installation instuctions written by Falko but use the MySQL.txt file provided in the zip to populate the MySQL database.

Change the MySQL password in inc_connect.php and upload the php files into the root of the webserver (/var/www)

when connecting the webserver shows a loginscreen:

Username: ftp-admin
Password: ftp-admin

You can change the admin password when logged on.

remark: the delete option deletes the user without question!

[edit]
The files are modified and the zip is updated
[/edit]

Ben 27th April 2011 14:27

Looks cool.

But one thing you should check is for some vulnerabilities, e.g. XSS, SQL Injection create_FTP_user.php, just as an example, as the script is lacking input validation and output masking, a.o..

ncoc.nl 27th April 2011 14:42

I agree, I did protect granted.php for a MySQL injection but I forgot the other files :(
Tonight I'll modify the other files and upload the zip again.

Ronald

Ben 27th April 2011 16:47

But don't forget about Cross Site Scripting and others, as well ;)

ncoc.nl 27th April 2011 17:48

Ben,

In basic if not logged on there is no possibilty to run one of the other scripts, validation is done at the beginning of every script:

session_start();
if(!session_is_registered(User)){
header("location:login.php");
}

then the MySQL injection is checked:

$User = stripslashes($User);
$Password = stripslashes($Password);
$User = mysql_real_escape_string($User);
$Password = mysql_real_escape_string($Password);

and the password is encrypted:

$encrypted_Password=md5($Password);

at last the session is registered:

session_register("User");
session_register("Password");

Did I miss something or better, is there something that can make the script better?
Please advise!

Regards,
Ronald

ncoc.nl 28th April 2011 01:25

The files are modified and more secure, thanks to Ben for his advice.

The zip in the first post is updated

ncoc.nl 4th May 2011 01:14

Added a installation manual for Debian Lenny (see first post)

Ben 4th May 2011 14:56

Quote:

In basic if not logged on there is no possibilty to run one of the other scripts, validation is done at the beginning of every script:
Every trustfull user might be untrustfull or used by a victim when logged in A and surfing B while beeing the victim of a XSS Attack combined with CSRF to attack A... ;)


All times are GMT +2. The time now is 15:07.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.