Solved

Upload file Form PHP5 IIS6

Posted on 2009-07-02
8
968 Views
Last Modified: 2013-12-13
I'm trying to create a form to allow uploading of files to the windows 2003 server which houses the HTML page.

I have PHP5 installed and am using a PHP script that the HTML file references. The error I'm getting when testing the upload is

HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.
Internet Information Services (IIS)

I 'm listing the HTML code and the php code as well

HTML

<form enctype="multipart/form-data" action="file-upload.php" method="POST">

  <div><?php echo $message; ?></div><?php echo $max_file_size_tag; ?>
 

Please select file to upload: <input type="file" size="20" name="filename">

  <input type="submit" value="Upload" name="submit">
 

PHP

<?php
 

####################################################################

# File Upload Form 1.1

####################################################################

# For updates visit http://www.zubrag.com/scripts/

####################################################################
 

####################################################################

#  SETTINGS START

####################################################################
 

// Folder to upload files to. Must end with slash /

define('DESTINATION_FOLDER','/apps/');
 

// Maximum allowed file size, Kb

// Set to zero to allow any size

define('MAX_FILE_SIZE', 0);
 

// Upload success URL. User will be redirected to this page after upload.

define('SUCCESS_URL','http://www.website.com/upload-success.htm');
 

// Allowed file extensions. Will only allow these extensions if not empty.

// Example: $exts = array('avi','mov','doc');

$exts = array();
 

// rename file after upload? false - leave original, true - rename to some unique filename

define('RENAME_FILE', false);
 

// put a string to append to the uploaded file name (after extension);

// this will reduce the risk of being hacked by uploading potentially unsafe files;

// sample strings: aaa, my, etc.

define('APPEND_STRING', 'resume');
 

// Need uploads log? Logs would be saved in the MySql database.

define('DO_LOG', false);
 

// MySql data (in case you want to save uploads log)

//define('DB_HOST','localhost'); // host, usually localhost

//define('DB_DATABASE','mydb'); // database name

//define('DB_USERNAME','myusername'); // username

//define('DB_PASSWORD','password-here'); // password
 

/* NOTE: when using log, you have to create mysql table first for this script.

Copy paste following into your mysql admin tool (like PhpMyAdmin) to create table

If you are on cPanel, then prefix _uploads_log on line 205 with your username, so it would be like myusername_uploads_log
 

CREATE TABLE _uploads_log (

  log_id int(11) unsigned NOT NULL auto_increment,

  log_filename varchar(128) default '',

  log_size int(10) default 0,

  log_ip varchar(24) default '',

  log_date timestamp,

  PRIMARY KEY  (log_id),

  KEY (log_filename)

);
 

*/
 

####################################################################

###  END OF SETTINGS.   DO NOT CHANGE BELOW

####################################################################
 

// Allow script to work long enough to upload big files (in seconds, 2 days by default)

@set_time_limit(172800);
 

// following may need to be uncommented in case of problems

// ini_set("session.gc_maxlifetime","10800");
 

function showUploadForm($message='') {

  $max_file_size_tag = '';

  if (MAX_FILE_SIZE > 0) {

    // convert to bytes

    $max_file_size_tag = "<input name='MAX_FILE_SIZE' value='".(MAX_FILE_SIZE*1024)."' type='hidden' >\n";

  }
 

  // Load form template

  include ('file-upload.html');

}
 

// errors list

$errors = array();
 

$message = '';
 

// we should not exceed php.ini max file size

$ini_maxsize = ini_get('upload_max_filesize');

if (!is_numeric($ini_maxsize)) {

  if (strpos($ini_maxsize, 'M') !== false)

    $ini_maxsize = intval($ini_maxsize)*1024*1024;

  elseif (strpos($ini_maxsize, 'K') !== false)

    $ini_maxsize = intval($ini_maxsize)*1024;

  elseif (strpos($ini_maxsize, 'G') !== false)

    $ini_maxsize = intval($ini_maxsize)*1024*1024*1024;

}

if ($ini_maxsize < MAX_FILE_SIZE*1024) {

  $errors[] = "Alert! Maximum upload file size in php.ini (upload_max_filesize) is less than script's MAX_FILE_SIZE";

}
 

// show upload form

if (!isset($_POST['submit'])) {

  showUploadForm(join('',$errors));

}
 

// process file upload

else {

  

  while(true) {
 

    // make sure destination folder exists

    if (!@file_exists(DESTINATION_FOLDER)) {

      $errors[] = "Destination folder does not exist or no permissions to see it.";

      break;

    }
 

    // check for upload errors

    $error_code = $_FILES['filename']['error'];

    if ($error_code != UPLOAD_ERR_OK) {

      switch($error_code) {

        case UPLOAD_ERR_INI_SIZE: 

          // uploaded file exceeds the upload_max_filesize directive in php.ini

          $errors[] = "File is too big (1).";

          break;

        case UPLOAD_ERR_FORM_SIZE: 

          // uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form

          $errors[] = "File is too big (2).";

          break;

        case UPLOAD_ERR_PARTIAL:

          // uploaded file was only partially uploaded.

          $errors[] = "Could not upload file (1).";

          break;

        case UPLOAD_ERR_NO_FILE:

          // No file was uploaded

          $errors[] = "Could not upload file (2).";

          break;

        case UPLOAD_ERR_NO_TMP_DIR:

          // Missing a temporary folder

          $errors[] = "Could not upload file (3).";

          break;

        case UPLOAD_ERR_CANT_WRITE:

          // Failed to write file to disk

          $errors[] = "Could not upload file (4).";

          break;

        case 8:

          // File upload stopped by extension

          $errors[] = "Could not upload file (5).";

          break;

      } // switch
 

      // leave the while loop

      break;

    }
 

    // get file name (not including path)

    $filename = @basename($_FILES['filename']['name']);
 

    // filename of temp uploaded file

    $tmp_filename = $_FILES['filename']['tmp_name'];
 

    $file_ext = @strtolower(@strrchr($filename,"."));

    if (@strpos($file_ext,'.') === false) { // no dot? strange

      $errors[] = "Suspicious file name or could not determine file extension.";

      break;

    }

    $file_ext = @substr($file_ext, 1); // remove dot
 

    // check file type if needed

    if (count($exts)) {   /// some day maybe check also $_FILES['user_file']['type']

      if (!@in_array($file_ext, $exts)) {

        $errors[] = "Files of this type are not allowed for upload.";

        break;

      }

    }
 

    // destination filename, rename if set to

    $dest_filename = $filename;

    if (RENAME_FILE) {

      $dest_filename = md5(uniqid(rand(), true)) . '.' . $file_ext;

    }

    // append predefined string for safety

    $dest_filename = $dest_filename . APPEND_STRING;
 

    // get size

    $filesize = intval($_FILES["filename"]["size"]); // filesize($tmp_filename);
 

    // make sure file size is ok

    if (MAX_FILE_SIZE > 0 && MAX_FILE_SIZE*1024 < $filesize) {

      $errors[] = "File is too big (3).";

      break;

    }
 

    if (!@move_uploaded_file($tmp_filename , DESTINATION_FOLDER . $dest_filename)) {

      $errors[] = "Could not upload file (6).";

      break;

    }
 

    if (DO_LOG) {

      // Establish DB connection

      $link = @mysql_connect(DB_HOST, DB_USERNAME, DB_PASSWORD);

      if (!$link) {

        $errors[] = "Could not connect to mysql.";

        break;

      }

      $res = @mysql_select_db(DB_DATABASE, $link);

      if (!$res) {

        $errors[] = "Could not select database.";

        break;

      }

      $m_ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);

      $m_size = $filesize;

      $m_fname = mysql_real_escape_string($dest_filename);

      $sql = "insert into _uploads_log (log_filename,log_size,log_ip) values ('$m_fname','$m_size','$m_ip')";

      $res = @mysql_query($sql);

      if (!$res) {

        $errors[] = "Could not run query.";

        break;

      }

      @mysql_free_result($res);

      @mysql_close($link);

    } // if (DO_LOG)
 
 

    // redirect to upload success url

    header('Location: ' . SUCCESS_URL);

    die();
 

    break;
 

  } // while(true)
 

  // Errors. Show upload form.

  $message = join('',$errors);

  showUploadForm($message);
 

}
 

?>

Open in new window

0
Comment
Question by:afsfire
  • 4
  • 4
8 Comments
 
LVL 3

Expert Comment

by:laneway
ID: 24767595
Make sure that all your PHP scripts have Execute permissions. If you are not sure which user to grant the permissions to, then give "Everyone" these permissions to confirm that this solves your problem.
0
 

Author Comment

by:afsfire
ID: 24767615
The use iusr has read and read&execute rights on the php file in NTFS
0
 
LVL 3

Expert Comment

by:laneway
ID: 24773209
There are two subfolders inside the PHP folder that will also need special permissions.

c:\php\sessiontemp
c:\php\uploadtemp

Make sure both of these files are readable and writable by the IUSR.


0
 

Author Comment

by:afsfire
ID: 24773721
I changed the security on those directories and still no luck. I tried in CGI mode and i get HTTP 500 internal server error as well
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 3

Assisted Solution

by:laneway
laneway earned 250 total points
ID: 24773780
I am still fairly convinced that this is a permissions problem. Just to rule out the possibility that the wrong user is being given these permissions, can you temporarily give Everyone "full control" on the files and folders we've tried up to this point. Make sure to allow folder permissions to overwrite the permissions of their children. See if that changes anything.
0
 

Author Comment

by:afsfire
ID: 24774095
hmm more and more I'm thinking that php5 may not be fully configured correctly... although I've gone through the settings in IIS and the php.ini and everything should be in order there.
I enabled register_globals just to see and after trying to upload I got a pop up error on the server saying..well I uploaded the screenshot of the error.
also after doing that the upload never seemed to finish but it never errored. Also BTW the file I'm trying to upload as a test is only 22kb

Untitled.jpg
0
 

Accepted Solution

by:
afsfire earned 0 total points
ID: 24785822
I resolved the issue by un-installing PHP and re-installing it. I had parts of an older version still on the server. Thanks... I'll award half the points for your help
0
 
LVL 3

Expert Comment

by:laneway
ID: 24785842
OK. Thanks. You might want to flag your last comment as the solution. Glad you got it figured out.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction Many web sites contain image galleries; a common design for these galleries includes a page with a collection of thumbnail images.  You can click on each of the thumbnail images to see the larger version of the image.  This is easily i…
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now