Upload-Point

About :: Security :: Downloads :: Setup Basic :: Setup Advanced :: Upgrading :: Notes/Bugs :: Todo :: Contact

About

Updated: March 10, 2008

Upload-Point 1.61 Beta is the current release. Available in English/Deutsch/Español/ελληνικα/Nederlands/Türkçe/简体中文

This is a very simple to use php upload script with password protection. It is designed to be as "plug-n-play" as possible. You do not have to do anything except upload the script, although there are a few options you can easily enable/disable with a browser-based options page.

The script is configured with an options page (options.php) and used with an upload page (index.php).

The only changes that need to be made are to create a password and change your file upload directory.

After uploading:
To use the script, go to: http://YOURDOMAIN.com/upload

If you would like to view and change options in the script go to: http://YOURDOMAIN.com/upload/options.php

You can revisit options.php at any point without causing any harm. You can also just edit config.php by hand, but the password protection will only work using options.php

This script is a "rip" from my main script Edit-Point, so please don't be surprised to see "edit-point" or "text" somewhere in the documentation.
http://covertheweb.com/edit-point

Please feel free to email if you need help or if you have comments, suggestions, or complaints: strattman@gmail.com

I really need "bug" reports and translations!!!

REQUIREMENTS

1) Linux Server with php 4+ (safe_mode = off). A shared server using phpsuexec is recommended as other security methods do not have php running as the user and this makes file creation and shell commands (in the script) difficult. Windows has been reported to work with some changes. See Notes/Bugs.
2) A website.

CREDITS

MD5.js Copyright (c) 1998 - 2005, Paul Johnston, distributed under the BSD License:
http://pajhome.org.uk/crypt/md5/

sha256.js Copyright (c) 2003-2004, Angel Marin, distributed under the BSD License:
http://anmar.eu.org/projects/jssha2/

jQuery is licensed under the MIT or GPL licenses and is copyright 2007 by John Resig and the jQuery team.
http://jquery.com/

Tablesorter and Pager are licensed under the MIT or GPL licenses and are written by Christian Bach.
http://tablesorter.com/docs/

Translations:
German translation by:
Beat Beer
http://www.stardesign.ch/

Dutch translation by:
Tjerk Plantenberg
http://www.tjerkhelpt.nl/

Chinese/简体中文 translation by:
Yie Alder Feng
yyfeng88625@gmail.com
http://fengfeng.x10hosting.com/

Turkish translation by:
Aquaria
http://www.gencgiyen.com/

Greek translation by:
Alexandros Spyrou
alexandros.spyrou@gmail.com
http://www.as-websolutions.gr/

Top

Security

There is a password protection option that can be turned on or off.
I STRONGLY recommend using the built in password protection. I believe it is much more secure than .htaccess or most other password protection scripts. Options.php must be used for the password protection. The passwords cannot be set using the config.php file. Cookies must be enabled.
See "Password Protection Settings" under Setup Advanced for more details.

I also recommend placing your "data" directory outside of your public files. To do this, after installing the script, move the "data" directory outside of your public directory. Then edit config.php by hand to reflect that path. For example, if your script is located at "home/YOURNAME/public_html/upload", the "data" directory should be at "home/YOURNAME/data" and $datadir in config.php should read:
$datadir = "../../data";

Top

Downloads

Upload-Point 1.61 Beta - Recommended

Download : 85 KB
Changelog
README

Older Versions

Upload-Point 1.5 Beta
Download : 58 KB

Upload-Point 1.4 Beta
Download : 44 KB

Upload-Point 1.3
Download : 40 KB

Upload-Point 1.2
Download : 37 KB

Upload-Point 1.1
Download : 37 KB

Upload-Point 1.01 Beta
Download : 34 KB

Top

Setup Basic

After unpacking the script, you should have a directory called "upload" that contains the script:

upload(directory)

data(directory)

crypt(directory)

md5.js
sha256.js

progress.gif

lang(directory)

en.php
de.php
es.php
gr.php
nl.php
tr.php
zh-cn-utf8.php

jscripts(directory)

pager(directory)

icons(directory)
jquery.tablesorter.pager.css
jquery.tablesorter.pager.js

asc.gif
bg.gif
desc.gif
jquery-1.2.3.min.js
jquery.tablesorter.min.js

config.php
footer.php
header.php
index.php
info.php
options.php
style.css

1) Upload the "upload" directory and it's contents to your server as a subdirectory of your "public" directory. For example: http://YOURDOMAIN.com/upload/.

2) Visit the webbased configuration at http://YOURDOMAIN.com/upload/options.php and make any necessary changes.

3) To begin uploading, go to the Upload-Page:
http://YOURDOMAIN.com/upload/index.php

Top

Setup Advanced

INITIAL SETTINGS

$language = "en.php";
Choose your language Choose your language (English=en.php .:. Deutsch=de.php .:. Espanol=es.php .:. ελληνικα=gr.php .:. Nederlands=nl.php .:. Türkçe=tr.php .:. 简体中文=zh-cn-utf8.php).

$page_title = "Upload-Point 1.6 Beta";
Change to your desired site name and page title.

PASSWORD PROTECTION SETTINGS

$password_protect = "off";
Option to use the built-in password protection.

When the password protection option is used, two files are created and stored in the data directory. These are "admin_pass.php" and "upload_pass.php"

I STRONGLY recommend using the built in password protection. I believe it is much more secure than .htaccess or most other password protection scripts. Options.php must be used for the password protection. The passwords cannot be set using the config.php file. Cookies must be enabled.

The password protection is a "CHAP" (Challenge Handshake Authentication Protocol) system. The system uses md5.js (by Paul Johnston : http://pajhome.org.uk/crypt/md5/) and sha256.js (by Angel Marin : http://anmar.eu.org/projects/jssha2/) to hash passwords client side before sending them to the server. The CHAP system authenticates the user before allowing login.

First, the new password is hashed client side (before submitting), using sha256.js, and then the server encrypts it while hashing it again using another hashed version as the seed. Then it is stored in the data directory.

When logging in, the client and the server do the following:

1) The server creates a unique random string and sets it as a session value and then encrypts it for form submission.

2) The server then concatenates the user agent and language and encrypts a hash of it using the random string as a seed.

3) Then, when the password is submitted:
a) the client hashes the password (sha256) and sends it;
b) the client hashes the password (md5) and sends it;
c) the client hashes the encrypted random string;
d) the client concatenates the hashed/encrypted random string with random string seed and hashed password and hashes it;
e) the client hashes the encrypted, hashed agent/language concatenate with random string seed, and sends it.

4) The server then encrypts the received hashed password, using a hash of the pass with a hash of the pass as seed, and stores a session of it.

5) The server then encrypts the random string session variable, using the string as a seed for the agent response.

6) The server the hashes the encrypted random string, with random string seed, for the random string response.

7) The server then get the user agent and language (again) and concatenates them.

8) The server then hashes the encrypted, hashed agent/language concatenate with crypted, random string with random string seed, seed.

9) The server then compares values:
a) The server checks to see if submitted, encrypted, hashed pass with hashed pass seed, matches the stored one.
b) The server then checks if the submitted hash of the hashed encrypted random string with random string seed, and hashed password concatenate matches the servers encrypted session of the random string with session random string seed then hashed while concatenating it with the submitted hashed (md5) pass.
c) The server then checks if the submitted hash of the encrypted hashed agent/language concatenate with encrypted random string with random string seed, matches servers check of the agent/language and random string session while hashing and encrypting them.

FILE UPLOAD SETTINGS
The option for basic file upload/rename/delete.

$fileupload = "on";
Whether or not the "File Upload" option is available. Of course, the script will not work without this set to on.
$fileupload_dir_name = "files";
The file upload directory from the domain name. This directory will be automatically created. For instance, if you use "http://YOURDOMAIN.com/testing/files/", the file upload directory will equal: "testing/files".
$up_ignore1 = "";
$up_ignore2 = "";
$up_ignore3 = "";
$up_ignore4 = "";
$up_ignore5 = "";
Files to ignore(not list) in the upload directory. ".htaccess" is ignored by default.
$hide = "off";
Hide file listing from logged in users. on or off.
$rename_file = "on";
Rename File function. on or off.
$delete_file = "on";
Delete File function. on or off

BASIC SETTINGS

$edit_redirect = "3000";
The redirect speed for index.php. 1000 = 1 second

$admin_redirect = "3000";
The redirect speed for options.php. 1000 = 1 second

You do not need to make changes below, unless you are changing the default directory names or structure.

$head = "on";
Whether or not to use the header/footer.

$textdir = "upload";
Script directory. For instance, if your Upload-Point installation is at "http://YOURDOMAIN.com/testing/upload", then "$textdir = testing/upload".

$datadir = "data";
Data directory. This is a subdirectory of $textdir. This is where the password files, created by the script are stored. Do not change unless you manually change the "data" directory name.

$pagepath = "../";
This is the path from script directory to webpage directory.

$p = '"<p>";
$p2 = "</p>";
The start and end tags used in the html that is created. They are only used for Upload-Point script pages.

Top

Upgrading

1) Save your "data" directory and delete everything else. (DO NOT DELETE YOUR FILE UPLOAD DIRECTORY, JUST THE SCRIPT DIRECTORY)
2) Next, upload all files and directories except the "data" directory.
3) Now visit http://YOURDOMAIN.COM/upload/options.php and turn the password protection on. Your old passwords should now work.
4) Re-enter your fileupload directory name.

Top

Notes/Bugs

- To translate the script:
1) Download the most recent release: http://covetheweb.com/upload-point/
2) Use upload/lang/en.php
3) Leave any tags code "<>" in your file
4) Add your word for "language" at the end of $l_opt116
5) I will thank you and ask a few questions and release a new version with your language included.

- Upload-Point may work on a windows server, but you might have to place the line: error_reporting(0); at the beginning of the following scripts (just after <?php):
index.php
options.php

Top

Todo

- maybe add thumbnails if file is an image.
- eyecandy - templates

Top

Contact

You can contact me at: strattman@gmail.com