Version 1.3.5 is tested and verified on Joomla 2.5! (2012-01-14)
Use download for 1.6/1.7!
!!!Security Release 2012-01-02!!!
JED found an exploit in the code where they managed to upload a file named "file.php5". Unfortunately I had not added php5 to the blocked extensions list but now (version 1.3.5) it is added along with .php6 and an extra check to see if ".php" exists in the file-name!
Please make sure to update to version 1.3.5 as soon as possible!
UPDATE 2010-01-04: To be even more on the safe side I have now added code to inspect GIF comments. There is a new option called "Block PHP GIF comments" in the settings which is default set to "Yes" which will read any GIF comment and block the upload if the comment contains any PHP code!
It includes the following key features:
- Multiple modules on the same page with different settings
- "Add Note" to uploaded files
- Image re-size
- Automated thumbnail creation for images
- Image compress for JPEG and PNG
- Now supports both "User Named Directory" and "User Defined Directory"! (see below)
- List files in upload directory in pop-up (FancyBox)
- Multiple files upload
- Notification e-mail
- And more...
- Integrated Ajax in Joomla framework
- "Blacklist" of extensions (threat-protection)
- Multi select file browser for FireFox 3.6+ versions
- Info popup-box now contains the link (URL)
- URL attached in e-mail notice
- Redirect option after uploading
- User Named Directory: You can set a root path for User Named Directories, e.g. "/home/users/" and then select which users should have the option to use the directory.
- User Defined Directory: You can select from the list of users and add custom directory paths for the user.
- Multiple choice of upload paths added. If a users has "User Named Directory" and/or "User Defined Directory" the user will get a pop-up box asking for the directory to upload to.
- List files option from upload directory in "pop-up"
- Form Fields can now be collected into the same file. A few JED Image Galleries are using a parameter file for labels/description of images.
- Multiple languages.
Joomla 3.0 is now supported!
User Named Directories and User Defined Directories now also works on Joomla 3.0!
My understanding is that it is now standard practice to use dashes or underscores in filenames to avoid these problems but I cannot rely on people uploading to do so.
I spent quite a while trying to hack the code to get it to work (I did succeed with some other modifications so I can't be a complete idiot!) but was not able to replace the spaces without breaking the text file writing part of the script.
I asked the developer but he was not able to do it.
Hi, so sorry that you are not satisfied with the work I've done. I have released my Extensions as GPL free for all to grab, use and change as they like.
I try to help out with modifications the best I can but I do have a day-time job and do this at my spear-time why I simply don't have time to help all users asking for modifications.
I tried to help you out and sent several e-mails pointing out where to alter the code. Study PHP a bit more and then give it another go...
Next time when you rate something, please do so on the functions included, not according to what YOU want to have included... :(
That being said, when I first installed the mod, it didn't work at all. Turns out this was caused by wrong file permissions in the mod folder. Not sure how this happened, but Anders was able to quickly get to the bottom of this. The second issue was that uploads would seem to fail, or time-out with no warning. Once again, Anders was able to show me that it was due to a configuration problem with the PHP.INI (Problem on my end, not the SFU mod. My uploads were limited to 8MB.) Once I corrected the PHP.INI, the uploads (and multiple uploads) worked fine.
I'm using it, for example, for a client that wanted a way for their clients to submit files and artwork that was too big for e-mail. This extension allowed me to have users upload to their own, separate, sub-directories and don't see other users' folders or files.
However, this one didn't disappoint!
Once you actually find the correct version to install, getting it up and running is a breeze. Apparently I had installed the wrong version. The download page is a little bit confusing, but as soon as I made a comment on the website, Anders got back to me straight away with a solution in an email. Now everything seems to be working fine.
All in all, an excellent extension, so thanks and well done Anders. Cheers, Allan
PS. I will indeed be happy to give you a donation because it certainly is worth at least $5 bucks!
Even if you have very little joomla experience you will be able to have your website visitors uploading files to your sever in no time.
It integrates perfectly with Simple File Lister to automatically add the newly uploaded files the list as well.
It also offers you decent security by allowing you to restrict and exclude the file types that can be uploaded, captcha to prevent bot exploitation, and notification emails so you will quickly be able to recognize if someone is abusing the feature.
For me, the combination of the two modules works perfectly as a way for the teachers who visit my page to upload and exchange classroom handouts and create an ever growing online repository.
Not to mention support seems to be very quick, with Anders even mailing me a build of the module that will not be released until later this week!
I can highly recommend it.
So sorry that you aren't 100% happy with my module...
As you wrote I have tried to help you but as you could not provide the logs for your server it is impossible for me to try and solve your issue with why the Warning is posted.
If you reduce the logging level for Joomla from Maximum the Warning will not be visible and SFU will still work fine...
Please let me know if you can get hold of the logs.
Looks nice too, although that wasn't that important in my case.
The only solution WAS paid extension from CB.
But, this module simplify the thing for free (well, let's donate when you earn profit from using this module)
As for the security vulnerability, IN ADDITION to utilizing the blacklist function, we can also put a .htaccess to disallow any file access from that particular upload folder.
Thanks for taking the time to review my extension!
The suggestion for .htaccess is very good and should be used if added security is required on the server!
For anyone using IIS here is an article that some other user sent me for .htaccess on IIS: http://forums.iis.net/p/1151878/1879997.aspx#1879997