Path Traversal

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

12.2. Path Traversal

Web servers are typically set up to serve content from designated directories. Occasionally a vulnerability will be found in the server software itself which will allow files outside of designated areas to be accessed, but these are pretty much patched in more mature servers such as Apache. Web applications, however, can access the files in other directories, because they execute on the server machine behind the HTTP request. A path traversal attack tricks the script into displaying the contents of directories and files outside of the web root which may contain sensitive information.

Consider this vulnerable code, exploit_02.php:

<?php
define('TEMPLATE_DIR', '../templates/'),

$GLOBALS['TEMPLATE']['content'] = '<p>Hello World!</p>';

if (isset($_GET['t']))
{
    $template = TEMPLATE_DIR . $_GET['t'];
}

if (isset($template) && file_exists($template))
{
    include $template;
}
else
{
    include TEMPLATE_DIR . 'default.php';
}
?>

The code accepts the name of a template file from the URL parameter t with which to display page content. A call to exploit_02.php?t=blue.php for example requests the file use ../templates/blue.php as its template when displaying the page. If blue.php doesn't exist it will default to ../templates/default.php. Well, at least that's what the intent is anyway.

The code is vulnerable because no checks are made on the $template variable to see if its value resides in the web root directory. Just as PHP uses ../ to back out of the public_files directory and reference files in the templates directory, an attacker can add .. and / to the parameter in order to traverse backwards in the file hierarchy into a different directory and access a more sensitive file. Consider the following address:

www.example.com/exploit_02.php?t=../../../../etc/passwd

With a t parameter of ../../../../etc/passwd, the value of $template becomes ../templates/../../../../etc/passwd. If the path didn't resolve to an existing file then the default.php file would still be used, but if the public_files folder resided in /srv/apache/example on the host server then PHP would include the system's password file that lists all the user accounts on the machine. Figure 12-2 shows the compromised web page displaying the contents of the system's passwd file.

Figure 12-2. Figure 12-2

The fix is again to properly verify user input. In this case you need to examine the created path to make sure it doesn't traverse into an undesired area of the file system. The realpath() function is useful for this because it accepts a relative path and returns it as an absolute path. You then know exactly which directory is being referenced and can perform a string comparison to make sure it's correct.

Here is the code with the vulnerability corrected:

<?php
define(TEMPLATE_DIR, '/srv/apache/example/templates/'),

if (isset($_GET['t']))
{
    $template = realpath(TEMPLATE_DIR . $_GET['t']);
}

if (isset($template) &&
    strpos($target, TEMPLATE_DIR) !== 0 &&
    file_exists($template))
{
    include $template;
}
else
{
    include TEMPLATE_DIR . 'default.php';
}
?>

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Path Traversal

Create new playlist

Sign In

Sign Up

12.2. Path Traversal

Figure 12-2. Figure 12-2

Table of Contents for
Path Traversal