Help with some PHP Security

Ok, over the last few days my site has been hacked twice on a shared hosting account I am using to store all my static media such as video, images, sound, etc. The only PHP script on the server is a little thing we wrote to resize and cache images for display on the page.

How it works is in the htaccess I have the following:

[code]
RewriteEngine on
RewriteCond %{query_string} ^width=([^&]+)&height=([^&]+) [NC]
RewriteRule ^(.*).jpg imageLoader.php?width=%1&height=%2&target=$1.jpg [L]
RewriteCond %{query_string} ^width=([^&]+)&height=([^&]+) [NC]
RewriteRule ^(.*).png imageLoader.php?width=%1&height=%2&target=$1.png [L]
RewriteCond %{query_string} ^width=([^&]+)&height=([^&]+) [NC]
RewriteRule ^(.*).gif imageLoader.php?width=%1&height=%2&target=$1.gif [L]
[/code]

Basically the idea is, if an image is called on the server with width and height queries attached it get re-routed to this image loader.

The image loader then checks in a cache database to see if an image of that size already has been cached. If it has, that image is served up. If not one is created and cached, then served up.

Anyway I am sure they are injecting into it somehow but I have no idea how? Yesterday they managed to delete every file on the server and my host says it has to have been done through a php file.

The image loader has its permissions set to 644 as it needs write access to create the cached files.

Here is the script within the image loader: (i swapped out the database credentials with XXX)

[code]
<?php

scaleImageFileToBlob($_GET[‘target’],$_GET[‘width’],$_GET[‘height’]);

function scaleImageFileToBlob($file,$max_width,$max_height) {

$db = “XXXX”;
$table = “XXXX”;
$user = “XXXX”;
$pass = “XXXX”;

mysql_connect(“localhost”,$user,$pass) or die (mysql_error());
mysql_select_db($db) or die (mysql_error());

$query = “SELECT * FROM “.$table.” WHERE url = ‘”.$file.”‘ AND width = ‘”.$max_width.”‘ AND height = ‘”.$max_height.”‘ LIMIT 1″;
$result = mysql_query($query) or die(mysql_error);

while ($row = mysql_fetch_array($result)){
$found = true;
header(“Location:http://media.domain.com/cache/”.$row[‘id’].”.”.$row[‘type’]);
}

if($found != true){
$source_pic = $file;

list($width, $height, $image_type) = getimagesize($file);

switch ($image_type)
{
case 1: $src = imagecreatefromgif($file); break;
case 2: $src = imagecreatefromjpeg($file); break;
case 3: $src = imagecreatefrompng($file); break;
default: return ”; break;
}

$x_ratio = $max_width / $width;
$y_ratio = $max_height / $height;

if( ($width <= $max_width) && ($height <= $max_height) ){
$tn_width = $width;
$tn_height = $height;
}elseif (($x_ratio * $height) < $max_height){
$tn_height = ceil($x_ratio * $height);
$tn_width = $max_width;
}else{
$tn_width = ceil($y_ratio * $width);
$tn_height = $max_height;
}

$tmp = imagecreatetruecolor($tn_width,$tn_height);

/* Check if this image is PNG or GIF to preserve its transparency */
if(($image_type == 1) OR ($image_type==3))
{
imagealphablending($tmp, false);
imagesavealpha($tmp,true);
$transparent = imagecolorallocatealpha($tmp, 255, 255, 255, 127);
imagefilledrectangle($tmp, 0, 0, $tn_width, $tn_height, $transparent);
}
imagecopyresampled($tmp,$src,0,0,0,0,$tn_width, $tn_height,$width,$height);

switch ($image_type)
{
case 1: $fileType=”gif”; break;
case 2: $fileType=”jpg”; break;
case 3: $fileType=”png”; break;
default: break;
}

$query = “INSERT INTO “.$table.” (url,width,height,type) VALUES (‘”.$file.”‘,'”.$max_width.”‘,'”.$max_height.”‘,'”.$fileType.”‘)”;
mysql_query($query) or die (mysql_error());

$fileLoc = $_SERVER[‘DOCUMENT_ROOT’].”/cache/”;
$fileId = mysql_insert_id();

switch ($image_type)
{
case 1: imagegif($tmp,$fileLoc.$fileId.”.gif”); break;
case 2: imagejpeg($tmp, $fileLoc.$fileId.”.jpg”, 80); break;
case 3: imagepng($tmp, $fileLoc.$fileId.”.png”, 4); break;
default: echo ”; break;
}

header(“Location:http://media.domain.com/cache/”.$fileId.”.”.$fileType);

imagedestroy($tmp);
};

}

?>
[/code]

thanks so much any suggestions

Also in #PHP _↴