prevent directory traversal attack

[caracarn001]

I have this page where all the content from a directory is read and shown on screen.
Ideally the directory only contains images to create a photo gallery.
The directory is chosen by name (which is read from get-variable) eg: www.mysite.com/album?id="xyz"
As it is now if i give in the variable "../" it shows the wrong directory.
Checking if the variable starts with a "." is not a good solution.

How can I sanitize my input in php to prevent a directory traversal attack and how do I make sure only images are listed?

Code: Select all

<?php
if(isset($_GET['album']) && $_GET['album'] != null) {
   if(!preg_match("/^[.]/",$_GET['album'])){
      $directory="<path_to_dir>".$_GET['album']."/";
      foreach(glob($directory.'*') as $filename){
         echo"<tr><td><img style='width:400px;' src='".$directory.basename($filename)."' ></td></tr>";
      }
   }
}
?>


[-Ninjex-]

Where is the code for your upload form?

[caracarn001]

this code is used to chose which directory to list

Code: Select all

<?php
function getFirstImage($dirname)
{
    $imageName="";
    if($handle = opendir($dirname))
    {
        while(false!== ($file = readdir($handle)))
        {
            if(!preg_match("/^[.]/",$file)){
                $imageName = $file;
                 break;
            }
       }
       closedir($handle);
    }
    return($imageName);
}

//path to directory to scan
$directory = "<path_here>";

//get all files in specified directory
$files = glob($directory . "*",GLOB_ONLYDIR );
echo "<table style='width:100%'><tr>";
$index=0;
//print each file name
foreach($files as $file)
    {
    echo "<td style='width:20%'><a href='album.php?album=".basename($file)."'><img src=".$image." style='width:parent' /><br /><span class='link'>".basename($file)."</span></a></td>";
  $index++;
  if($index%5==0){
   echo "</tr><tr>";
   }
}
while($index <=5) {
   echo "<td style='width:20%'>&nbsp;</td>";
   $index++;
}
echo "</tr></table>";
?>


[-Ninjex-]

I'm not a php guru, but I believe you need a code similar to this:

Code: Select all

<form action="upload_file.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="Submit">
</form>


In order to allow the user to upload the files?

You can use php in a way similar to below to sanitize the input to file types of your choice...

Code: Select all

For <input type="file" name="file" id="file" />

get filetype by $type = $_FILES["file"]["type"]

You could do the same, then with a simple

Code: Select all

if($type == "jpeg" || $type == "png")

you decide whether to accept the file or not.

-- Tue Jan 29, 2013 9:13 am --

Edit - I am sorry, I see what you are saying now. It isn't a upload form #Facepalm.... Let me research it and see what I can find.

[caracarn001]

I think something went wrong in translation.

The album is uploaded already. All I want to do is show the content. I chose the album to VIEW using a GET-variable (to determine which folder to open)

However, playing with this GET-variable, I found out I could list directories I'm not supposed to access. It's this that I want to prevent.

The second thing is that these albums (directories) should only contain images. Since I won't be the only one to upload these albums (using FTP), I can't be certain of this. So I need a way to only show images in the listing (not txt-files for example)

[WallShadow]

I'm not a php guru,
...

https://en.wikipedia.org/wiki/Directory ... sal_attack
https://www.owasp.org/index.php/Path_Traversal

<3

[mShred]

You had a good idea in checking to see if the file name started with a '.'. Rather than have it just check for that, I'd just have it reject any attempt at file names that started with any kind of special characters. Then along with that, you'd have to make sure none of the files or folders started with special characters.

[weekend hacker]

The function you are looking for is realpath().
It'll convert all the ../ and ./'s and what not into the actual path. That'll make it easy to check if its in a directory that is permitted.