Jump to content

Is this enough to stop Path Traversal?


Go to solution Solved by kicken,

Recommended Posts

Hello.  Recently I've run into a bit of an issue with Path Traversal.  I was searching a bit on solutions to it, but all I could find were sites telling you to fix it, and not showing examples of how.  So, I've been running a few tests and seem to have the majority fixed.  At least, the ones on Owasp's examples don't work.

 

I am making a file manager, so they can browse the public_html all they want.  I just don't want anyone using ../, or the document root to browse through anything other than through the public_html.

 

So, here is the solution I have found that seems to work on everything I have seen:

<?php
// Seems to solve plain-text, encoded, and null bytes
$replace = array("%", "..");
$file = str_replace($replace, "", $_GET['file']);
 
// ./ at the beginning to stop DOCUMENT_ROOT travel
echo show_file_contents("./".$file);
?>

And this is how the path is set up for file_get_contents to access:

<?php
function show_file_contents($file) {
 
    $path = $_SERVER['DOCUMENT_ROOT']."/".$file;
 
}
?>

My question is:  Does this fully stop any directory traversal attempt?

Edited by SarahBear
Link to comment
https://forums.phpfreaks.com/topic/292376-is-this-enough-to-stop-path-traversal/
Share on other sites

Forgive me this change of topic, but why on earth would anyone want to provide universal access to the entire root folder(and therefore its subs) of one's site?  I can see providing access to a subset of folder(s) that contain documents or images or some collection of files, but the whole site?

 

Perhaps the easy way to prevent your problem would be to just supply a list of eligible folders displayed in some visually-appealing format and let people click on the name they wish to see?  That is, if you don't have second thoughts about the whole idea.

Edited by ginerjm

I would think that any 'open source file manager' (?) would provide access to (again) 'a subset of folders' and NOT the public_html folder where the manager itself might reside as well as any other application files.  Pardon my asking but you do realize the significance of the 'public_html' folder?

  • Solution

realpath

 

Use that to resolve any path given into an absolute path, then verify that the result begins with an allowed prefix.

 

$prefix = $_SERVER['DOCUMENT_ROOT'];
$path = realpath($_GET['path']);
if ($path && strncmp($path, $prefix, strlen($prefix)==0){
  //ok
}
Something like that.
  • Like 1

I would think that any 'open source file manager' (?) would provide access to (again) 'a subset of folders' and NOT the public_html folder where the manager itself might reside as well as any other application files.  Pardon my asking but you do realize the significance of the 'public_html' folder?

What's the difference between that and any other file manager such as fully-featured cPanel, which lets you go higher up?  Not to be rude, but this isn't a debate about whether there are issues or not.  The script itself is securely password protected, brute force protected, CSRF protected, etc.  They can customize it however they want if they don't want it to access public_html.

 

Thank you very much, kicken.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.