
Show HN: Upload any file - devbob
http://updrop.it
======
plugnburn
Well, I found what the server side is written in.

In fact, I found everything about your server.

Why? Because you, sir, do not know a thing about server security and
configuration - this is the file I managed to upload:
[http://updrop.it/uploads/info.php](http://updrop.it/uploads/info.php)

I will not hack your server but someone else definitely will, so you have to
either close this hole ASAP (disable PHP file uploading) or take the service
down.

~~~
devbob
Hey please shoot me an email if your interested in any paid work, thanks

~~~
plugnburn
I'm not interested in any paid work. I'm trying to say that your entire server
is vulnerable to hacker attacks right now. It seems strange that you posted a
vulnerable website on Hacker (!) News...

Or do I need to post my message on the index page of your site for you to get
how critical the vulnerability is? If so, which one? Updrop.it, torrbin.com or
noteworthyfacts.com?

~~~
devbob
No problem, its an mvp, looks like I need to hire a dev!, thanks.

~~~
plugnburn
So Updrop wasn't made by you and you hired a dev to create it?

~~~
devbob
A bit of both, Im just learning backend, so feedback is appreciated a lot

~~~
plugnburn
So that's my feedback: at least remove the ability to upload PHP files onto
Updrop. And then disable PHP for upload folder altogether.

------
plugnburn
Nice idea, nice design, horrible code behind it.

Just a look at rtu.js made me cry. Never mix logic and presentation.
Especially in such security-crucial projects.

I don't know what is the server side written in but it seems horrible too: I
managed to upload the same file twice and returned a link in the same
directory but with different names (boomer.mid and boomer(1).mid). So it's
possible to flood all the server space with the same file unlimited amount of
time. This is definitely a security issue. Also, a name mustn't change over
time: my (or anyone else's) next boomer.mid upload mustn't become
boomer(2).mid.

I haven't tried it yet but I hope server-side filetype validation is also
present? Otherwise the server is going to have big troubles over time...

