The Future of Z-Up

For those who don’t know, Z-Up is a free public file uploader I launched in mid-2008. It’s been redesigned several times throughout the years, but the idea’s remained the same. Upload a file, get a link, done. It never really got much traction amongst the public, being used mostly for uploading dicks and stick figures to forums. However, it has proved to be a useful tool for my own purposes, my own little cloud, if you will.

I use it a lot for sharing ideas with bandmates, or design mockups with clients. For that, it’s a perfect little tool. I’m also pretty glad that it never got super popular, because at the time I was making it, I knew very little about the costs of running a big website.

Recently, Z-Up’s been hacked numerous times by some foreign script kiddies. At first, they simply placed popups, which I promptly removed. The latest breach completely took down the homepage and deleted all of the uploads. I apologize for the inconveniences this may have caused for those who relied on Z-Up to host stuff, but it was mostly out of my control. I was planning on cleaning out the uploads folder anyway, these guys just did it in a much more crude manner.

*Update:* I’ve fixed the security hole, Z-Up’s back up and running. The hack was a basic extension exploit, whereby the “hacker” uploaded an exploit script with a name such as image.php.png. It would bypass the uploader’s extension checker, and then the “hacker” would be able to use the script from a browser. In this case, it was a server file browser script, so they had pretty much full reign over the server. After deleting every last one of these files (this guy tucked them into every corner of the server), I secured the uploads directory by disallowing scripts to run, using an .htaccess. I used the word hacker in quotes because this was a freely available exploit script, which means this “hacker” is nothing more than a script kiddie. On the positive side, Z-Up’s more secure now, and I did a bit of cleaning on my server, removing old (and potentially vulnerable) installs of Movable Type, Expression Engine, and Chyrp.

I’m still debating on whether to password-protect Z-Up, because I really don’t need people uploading stupid internet memes to it all the time.

Posted in Design, Web
  • Alec

    What script/file type did they run to execute things? Did they wrap something up in a zip file and go from there?

    Also, hit me up with login credentials because I am 92% of Z-ups traffic.

  • Dan

    I updated the post with details about the hacks. I’m probably not going to go through with password-protecting it, because it really was just one person exploiting it, and I’ve fixed the security hole.

  • XvldDevastatorX

    Dan, I would recommend password protecting it, even if it’s a simple encryption, it’ll be better and hopefully stop this if you smack a powerful encryption.

  • Tom

    Believe it or not I used a lot. Not only did you wipe the comics Mike and I originally had (because I never backed them up), but a lot of my recordings (I used the site for its convenience.) Protecting the site with a password is inaccessible. It’s much better just to fix the obvious vulnerabilities presented by file uploading.