lfiore / upld Goto Github PK

It will be good if you can add way of drag-and-drop or paste from clipboard.

Hello maintainer(s),

I am a security researcher from the Institute of Application Security at TU Braunschweig, Germany. We discovered a (potential) security vulnerability in your project.

We would like to report this vulnerability to you in a responsible and ethical manner.
Therefore, we do not want to disclose any details of the vulnerability publicly until you have had a chance to review and fix it.

Could you please let us know your prefered way of receiving security reports?

You can contact us at [email protected] or by replying to this issue.

Thank you for your attention and cooperation.

I was wondering, would it be possible to rescan the image folder?
Hypothetically: if the database got corrupted and needed to be wiped, the images are still there but not showing up since they're not in the database. Also there's no database backup.
Then it would be great if you could do like a scan that puts them into the database again. I guess all of them would then be assigned to one specific account (like the admin account), but it's better than having to re-upload everything again, getting new ID's and such.

e.g. ban feature did not use CSRF token to protect.

I can construct the url http://somewhere.com/ban.php?id=1 and embed it as an image. Once an admin is tricked to visit the page, it will cause the server to begin deleting someone's images.

Suggestion: any action to be performed other than read should be verified against a valid CSRF token.

More details:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Hello!
I've been having some weird issues.
When I run upld in a closed environment, I have no problems at all with registering and logging in users.
But when I recreate everything on my actual webserver, I can register users, but I cannot login users. No idea why.
Also, in the database it says the wrong IP adress of the user (me in this case). I haven't done anything weird as far as I know, I use basically the exact same system in both cases.
Any idea as to why this happens?

Looks like we need to add a mail configuration to verify registration.

Hello,

How can I setup friendly urls when using nginx?

Thanks you

add a config option to disable anonymous upload.

Admin needs to be able to administer all accounts with options to delete images and ban the user/s.

Everything else is fantastic.

Just seems to be missing this important feature in my opinion.

provide a configuration option to allow hotlinking only from certain websites, not all the internet.
this way, every admin can create such a hosting site for it's own websites.

it would be useful to add google recaptcha to the login and register forms, maybe even to the upload form.
instructions here: https://www.google.com/recaptcha/admin and here: https://developers.google.com/recaptcha/docs/invisible

option should be enabe/disable from config or an admin page and provide a field for the recaptcha key.

admin to view all image and can config image perpage to view.
array/Sort by upload time (New before Old).

is there a option to add extension like .zip for upload?

The fonts.googleapis.com reference in css/upload.css uses the http:// protocol - I have made my selfhosted version use //fonts.googleapis.com in order to prevent browser warnings.

Warning: imagecopyresized() expects parameter 1 to be resource, integer given in /var/www/html/upld/inc/moderate.php on line 148

Warning: imagejpeg() expects parameter 1 to be resource, integer given in /var/www/html/upld/inc/moderate.php on line 151

Warning: imagedestroy() expects parameter 1 to be resource, integer given in /var/www/html/upld/inc/moderate.php on line 152

file inc/moderate.php line# 143
$new_thumb = imagecolorallocate($thumb, 0, 0, 0);
imagecolortransparent($thumb, $new_thumb);

to
if (imagecolortransparent($thumb) <> -1)
{
$new_thumb = imagecolorallocate($thumb, 0, 0, 0);
imagecolortransparent($thumb, $new_thumb);
}