Simple File Upload
Version 1.3.5 is tested and verified on Joomla 2.5! (2012-01-14)
Use download for 1.6/1.7!
!!!Security Release 2012-01-02!!!
JED found an exploit in the code where they managed to upload a file named "file.php5". Unfortunately I had not added php5 to the blocked extensions list but now (version 1.3.5) it is added along with .php6 and an extra check to see if ".php" exists in the file-name!
Please make sure to update to version 1.3.5 as soon as possible!
UPDATE 2010-01-04: To be even more on the safe side I have now added code to inspect GIF comments. There is a new option called "Block PHP GIF comments" in the settings which is default set to "Yes" which will read any GIF comment and block the upload if the comment contains any PHP code!
!!!Security Release!!!
It includes the following key features:
- Multiple modules on the same page with different settings
- "Add Note" to uploaded files
- Image re-size
- Automated thumbnail creation for images
- Image compress for JPEG and PNG
- Now supports both "User Named Directory" and "User Defined Directory"! (see below)
- CAPTCHA
- List files in upload directory in pop-up (FancyBox)
- Multiple files upload
- Notification e-mail
- And more...
More features:
- Integrated Ajax in Joomla framework
- "Blacklist" of extensions (threat-protection)
- Multi select file browser for FireFox 3.6+ versions
- Info popup-box now contains the link (URL)
- URL attached in e-mail notice
- Redirect option after uploading
- User Named Directory: You can set a root path for User Named Directories, e.g. "/home/users/" and then select which users should have the option to use the directory.
- User Defined Directory: You can select from the list of users and add custom directory paths for the user.
- Multiple choice of upload paths added. If a users has "User Named Directory" and/or "User Defined Directory" the user will get a pop-up box asking for the directory to upload to.
- List files option from upload directory in "pop-up"
- Form Fields can now be collected into the same file. A few JED Image Galleries are using a parameter file for labels/description of images.
- Multiple languages.
Take care!
Regards,
Anders
Even if you have very little joomla experience you will be able to have your website visitors uploading files to your sever in no time.
It integrates perfectly with Simple File Lister to automatically add the newly uploaded files the list as well.
It also offers you decent security by allowing you to restrict and exclude the file types that can be uploaded, captcha to prevent bot exploitation, and notification emails so you will quickly be able to recognize if someone is abusing the feature.
For me, the combination of the two modules works perfectly as a way for the teachers who visit my page to upload and exchange classroom handouts and create an ever growing online repository.
Not to mention support seems to be very quick, with Anders even mailing me a build of the module that will not be released until later this week!
I can highly recommend it.
Thanks Anders!
So sorry that you aren't 100% happy with my module...
As you wrote I have tried to help you but as you could not provide the logs for your server it is impossible for me to try and solve your issue with why the Warning is posted.
If you reduce the logging level for Joomla from Maximum the Warning will not be visible and SFU will still work fine...
Please let me know if you can get hold of the logs.
Regards,
Anders
Looks nice too, although that wasn't that important in my case.
The only solution WAS paid extension from CB.
But, this module simplify the thing for free (well, let's donate when you earn profit from using this module)
As for the security vulnerability, IN ADDITION to utilizing the blacklist function, we can also put a .htaccess to disallow any file access from that particular upload folder.
Thanks for taking the time to review my extension!
The suggestion for .htaccess is very good and should be used if added security is required on the server!
For anyone using IIS here is an article that some other user sent me for .htaccess on IIS: http://forums.iis.net/p/1151878/1879997.aspx#1879997
Regards,
Anders
Then I had a go at this extension and BAM, it does all I need.
The developer should look into the security "hole" found by the "Easy Uploader" developer though as no such attempt to prevent false file types seems to be included in the code.
I am very happy that I don't have to alter anything in this extension!
Keep up the good work!
Hi,
thanks for your kind review!
I am aware of this security "threat" and have already included a "black-list" for extensions in version 1.3 (are you using 1.2? In that case please upgrade to get the Black-list function).
I tested several different ways of securely detecting the type of file uploaded but I have not found any that would work on different PHP versions and/or platforms.
With the Black-list, even if an attacker fake their way by changing the content-type, they will not be able to change the fact that the extension is required for the file to be interpreted by the server and thus it is "pretty" safe.
Another way is to block "web access" for the upload directory using .htaccess but then again the content (like images) will not be available for web pages either.
Unfortunately there is no good way of doing this in PHP versions lower than 5.3 and even with 5.3 many hosting providers are not allowing the use of file objects or exec functions which would be used to verify the "real" mime type.
Regards,
Anders
Thanks
Rudolf Aigner
The French translation is also very good. I could use the module out of the box. My purpose was to allow users to upload audio/video excerpts (which they later integrate in their articles with AVReloaded).
So thanks to the developer for sharing this great extension !
i am in the process of evaluating the various upload modules/components for Joomla in order to find one to suit my needs for my humble site.
I recommend simple file upload module.
It does what it says and works like a charm.
You don't have to mess with tons of options and surprise:
Andrew ,the developer ,will answer to your questions and will modify/correct the module if needed.
In my case he mailed me -on his initiative- and made fixes in just one day taking in serious regard my observations.
There is no manual because it is not needed.You don't have to read tons of pages to make it work.
You will have it up and running (AND modified to your needs) in minutes.
Thought i would recommend the creation of a support forum for this great module.
Regards,
the_observer.
Thanks, I really appreciate you taking the time to write the review!
You are not the first to ask for a support forum. The FAQ on my site has done it's work but with the added functionality for "User Defined Directory" and "User Named Directory" I have noticed that I do get a lot more questions... I will give it some thought and probably put something up on my site shortly...
Btw, the name's Anders, not Andrew... ;)
Best Regards,
Anders
It does all I could ask (and more)!
I needed the more flexible user management to be able to point each users directory in different loccation and this module made it possible. I had to ask som help to do it but it was all in teh settings.
I could just ask for some better instrutions... but then again the developer helped out in just a few minutes.
Thanks for this great extension!