MSSql MySql Python javascript PHP java DotNet Ruby Hackme Takeawy Code Twitter Facebook

The house of developers, A website to classify and rank developers
 
Login or Register
 
Main Page
Famous Developers
Top Companies
Tech News
Be Ready
Takeaway
Contest
Find & Post
 
 
Country Rank: 4
World Rank: 68
Profile Viewed: 637
Points: 4737
24 Aug 2010

Directory Traversal Attacks

 

Directory Traversal Attacks

Attackers use directory traversal attacks to read arbitrary files on web servers, such as SSL private keys and password files.

Some web applications open files based on HTTP parameters (user input). Consider  this simple PHP application that displays a file in many languages:

<?php

$language = "main-en";

if (is_set($_GET['language']))

  $language = $_GET['language'];

include("/usr/local/morocco/static_files/" . $language . ".html");

?>

Assume that this PHP page is accessible through http://test.wablab.com/morocco/static.php?language=main-en; an attacker can read arbitrary files from the web server by inserting some string to make the include function point to a different file. For instance, if an attacker made these GET requests,

http://test.wablab.com/morocco/static.php?language=../../../../etc/passwd % 0 0

the include function would open this file:

/usr/local/morocco/static_files/../../../../etc/passwd

This file is simply

/etc/passwd  

( That seems pretty hazardous, because In Unix-like operating systems the /etc/passwd file lists sensitive informations about each of the users that may login to the system )

Thus, the GET request would return the contents of /etc/passwd on the server. Note that

the null byte (% 0 0) ends the string, so .html would not be concatenated to the end of the

filename.

This type of attack is called a directory traversal attack, and it has plagued many web servers for some time, because attackers would URL encode the ../ segments in various ways, such as these:

•  % 2 e % 2 e % 2 f

•  % 2 e % 2 e /

•  .. % 2 f

•  . % 2 e /

Today, some web application frameworks automatically protect against directory traversal attacks. For example, PHP has a setting called magic_quotes_gpc, which is on by default. This setting "magically" escapes suspicious characters in GETs, POSTs, and cookies with a backslash. Thus, the character / is escaped to \/, which stops this attack.

Other web application frameworks do not have general protection mechanisms, and it is up to the developer to protect against these problems.

To protect your application from directory traversal attacks, white list the acceptable files—that is, deny all user input except for a small subset like this:

<?php

$languages = array('main-en','main-fr','main-ar');

$language = $languages[1];

if (is_set($_GET['language']))

  $tmp = $_GET['language'];

if (array_search($tmp, $languages))

  $language = $tmp;

include("/usr/local/morocco/static_files/" . $language . ".html");

?>

Thank you for reading this article and enjoy your hacks Cool


 

Facebook Share Delicious Share Digg Share Google Buzz Share My Space Share Reddit Share Stumbleupon Share Technorati Share Twitter Share

Comments

Please, login or register to add a comment.