prevent directory traversal attack

Discuss the many weaknesses of browser security and ways to mitigate the threat

prevent directory traversal attack

Post by caracarn001 on Tue Jan 29, 2013 8:46 am
([msg=72884]see prevent directory traversal attack[/msg])

I have this page where all the content from a directory is read and shown on screen.
Ideally the directory only contains images to create a photo gallery.
The directory is chosen by name (which is read from get-variable) eg: www.mysite.com/album?id="xyz"
As it is now if i give in the variable "../" it shows the wrong directory.
Checking if the variable starts with a "." is not a good solution.

How can I sanitize my input in php to prevent a directory traversal attack and how do I make sure only images are listed?

Code: Select all
<?php
if(isset($_GET['album']) && $_GET['album'] != null) {
   if(!preg_match("/^[.]/",$_GET['album'])){
      $directory="<path_to_dir>".$_GET['album']."/";
      foreach(glob($directory.'*') as $filename){
         echo"<tr><td><img style='width:400px;' src='".$directory.basename($filename)."' ></td></tr>";
      }
   }
}
?>
User avatar
caracarn001
New User
New User
 
Posts: 42
Joined: Thu Nov 04, 2010 5:23 am
Blog: View Blog (0)


Re: prevent directory traversal attack

Post by -Ninjex- on Tue Jan 29, 2013 8:52 am
([msg=72885]see Re: prevent directory traversal attack[/msg])

Where is the code for your upload form?
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1302
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: prevent directory traversal attack

Post by caracarn001 on Tue Jan 29, 2013 9:00 am
([msg=72886]see Re: prevent directory traversal attack[/msg])

this code is used to chose which directory to list
Code: Select all
<?php
function getFirstImage($dirname)
{
    $imageName="";
    if($handle = opendir($dirname))
    {
        while(false!== ($file = readdir($handle)))
        {
            if(!preg_match("/^[.]/",$file)){
                $imageName = $file;
                 break;
            }
       }
       closedir($handle);
    }
    return($imageName);
}

//path to directory to scan
$directory = "<path_here>";

//get all files in specified directory
$files = glob($directory . "*",GLOB_ONLYDIR );
echo "<table style='width:100%'><tr>";
$index=0;
//print each file name
foreach($files as $file)
    {
    echo "<td style='width:20%'><a href='album.php?album=".basename($file)."'><img src=".$image." style='width:parent' /><br /><span class='link'>".basename($file)."</span></a></td>";
  $index++;
  if($index%5==0){
   echo "</tr><tr>";
   }
}
while($index <=5) {
   echo "<td style='width:20%'>&nbsp;</td>";
   $index++;
}
echo "</tr></table>";
?>
User avatar
caracarn001
New User
New User
 
Posts: 42
Joined: Thu Nov 04, 2010 5:23 am
Blog: View Blog (0)


Re: prevent directory traversal attack

Post by -Ninjex- on Tue Jan 29, 2013 9:08 am
([msg=72887]see Re: prevent directory traversal attack[/msg])

I'm not a php guru, but I believe you need a code similar to this:

Code: Select all
<form action="upload_file.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="Submit">
</form>


In order to allow the user to upload the files?

You can use php in a way similar to below to sanitize the input to file types of your choice...

Code: Select all
For <input type="file" name="file" id="file" />

get filetype by $type = $_FILES["file"]["type"]


You could do the same, then with a simple
Code: Select all
if($type == "jpeg" || $type == "png")

you decide whether to accept the file or not.

-- Tue Jan 29, 2013 9:13 am --

Edit - I am sorry, I see what you are saying now. It isn't a upload form #Facepalm.... Let me research it and see what I can find.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1302
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: prevent directory traversal attack

Post by caracarn001 on Tue Jan 29, 2013 9:22 am
([msg=72888]see Re: prevent directory traversal attack[/msg])

I think something went wrong in translation.

The album is uploaded already. All I want to do is show the content. I chose the album to VIEW using a GET-variable (to determine which folder to open)

However, playing with this GET-variable, I found out I could list directories I'm not supposed to access. It's this that I want to prevent.

The second thing is that these albums (directories) should only contain images. Since I won't be the only one to upload these albums (using FTP), I can't be certain of this. So I need a way to only show images in the listing (not txt-files for example)
User avatar
caracarn001
New User
New User
 
Posts: 42
Joined: Thu Nov 04, 2010 5:23 am
Blog: View Blog (0)


Re: prevent directory traversal attack

Post by WallShadow on Tue Jan 29, 2013 4:27 pm
([msg=72908]see Re: prevent directory traversal attack[/msg])

User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: prevent directory traversal attack

Post by mShred on Tue Jan 29, 2013 5:05 pm
([msg=72914]see Re: prevent directory traversal attack[/msg])

You had a good idea in checking to see if the file name started with a '.'. Rather than have it just check for that, I'd just have it reject any attempt at file names that started with any kind of special characters. Then along with that, you'd have to make sure none of the files or folders started with special characters.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1707
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: prevent directory traversal attack

Post by weekend hacker on Wed Jan 30, 2013 11:49 am
([msg=73009]see Re: prevent directory traversal attack[/msg])

The function you are looking for is realpath().
It'll convert all the ../ and ./'s and what not into the actual path. That'll make it easy to check if its in a directory that is permitted.
<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...
User avatar
weekend hacker
Administrator
Administrator
 
Posts: 192
Joined: Sun Apr 13, 2008 2:39 pm
Location: 127.0.0.1
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests