networkthis Posted February 24, 2008 Share Posted February 24, 2008 I am about to lose my mind over this one...I have a script to allow user access to files they have uploaded to a specific directory with the capabilities to browse only to the files in their directory...unless they simply add this in the address bar ?path=../ example: http://www.example.com/ownerfiles/useruploads/?path=../ They can now access all of my owner files and delete/save them as they wish... Any help to stop this from happening in the script would be great Here is the main filebrowser script: Please bear with me I am very new to PHP <?php #*****************************************# # Check to make sure that the User is # # currently logged in # #*****************************************# require_once('common.php'); checkUser(); #*****************************************# # Start of the Function created that will # # display each row seperately # # It is broken down into Files/Directorys # #*****************************************# function showContent($path){ # Open the Directory Path if ($handle = opendir($path)) { #*****************************************# # Create an Up one level link and take # # user up one folder -- It currently # # stops at the directory where the main # # file is uploaded into the web directory # #*****************************************# $up = substr($path, 0, (strrpos(dirname($path."/."),"/"))); echo "<tr><td colspan='2'><img src='../style/up2.gif' width='16' height='16' alt='up'/> <a href='".$_SERVER['PHP_SELF']."?path=$up'>Up one level</a></td></tr> <tr><td>File Name</td><td>Size</td><td>Modified</td><td>Created</td><td colspan='2'> Actions</td></tr>"; while (false !== ($file = readdir($handle))) { #*****************************************# # Remove Files that are named . , .. and # # any others we wish to add that we don't # # want displayed in the main directory. # #*****************************************# if ($file != "." && $file != ".." && $file !="add.php" && $file !="common.php" && $file !="delete.php" && $file !="download.php" && $file !="edit.php" && $file !="login.php" && $file !="logout.php" && $file !="microFileBrowser.php" && $file !="opennew_practice.txt" && $file !="register.php" && $file !="index.php" && $file !=".htaccess") { # Fname will be used to simply copy the Actual Name of the File!!! $fName = $file; # Create the path for the file $file = $path.'/'.$file; #*****************************************# # Simply checks to see if the $file is # # actually a FILE. If it is display the # # following. # #*****************************************# if(is_file($file)) { ?><tr><td> <?php echo "<tr><td><img src='../style/file2.gif' width='16' height='16' alt='file'/> ".$fName."</td>" ?></td> <td> <?php # Take the size of the file and turn it into a variable $file_size = filesize($file); # Take the file_size variable and change it into readable terms--MB, KB, and Bytes if ($file_size >= 1048576) {echo number_format(($file_size / 1048576),2) . " MB";} elseif ($file_size >= 1024) { echo number_format(($file_size / 1024),2) . " KB";} elseif ($file_size >= 0) { echo $file_size . " bytes"; } else { echo "0 bytes";} ?> </td> <td><?php # List the last modified File Time echo date("m/d/Y H:i", fileatime($file)); ?></td> <td><?php # List the created File Time echo date("m/d/Y H:i", filectime($file)); ?></td> <td><a href="download.php?file=<?php # List the Path to Download the File and Display the Download Icon echo ($file); ?>"><img src="../style/icons/save.gif" width="16" height="16"/></a></td> <td><a href="delete.php?file=<?php # List the Path to Delete the File and Display the Delete Icon echo urlencode($file); ?>"><img src="../style/icons/action_delete.gif" width="16" height="16"/></a> </td> </tr><?php } #*****************************************# # Simply checks to see if the $file is # # actually a DIRECTORY. If it is display # # the following. # #*****************************************# elseif (is_dir($file)) { print "<tr><td colspan='2'><img src='../style/dir2.gif' width='16' height='16' alt='dir'/> <a href='".$_SERVER['PHP_SELF']."?path=$file'>$fName</a></td></tr>"; } } } closedir($handle); } } if (isset($_POST['submitBtn'])){ $actpath = isset($_POST['path']) ? $_POST['path'] : '.'; } else { $actpath = isset($_GET['path']) ? $_GET['path'] : '.'; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html> <head> <title>Spec Ops Advantage File Browser</title> <link href="../style/style.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="main"> <div class="caption">Spec OPS Advantage File Browser</div> <div id="icon2"> </div> <div id="actual_path">ACTUAL PATH: <?php echo $actpath ?></div> <div id="result"> <table width="100%"> <?php showContent($actpath); ?> </table> </div> <div id="source">Spec Ops Advantage</div> </div> </body> Quote Link to comment Share on other sites More sharing options...
Bauer418 Posted February 24, 2008 Share Posted February 24, 2008 Here are a couple things you could do: 1) chmod the parent level directories to not allow them to do anything to the folder 2) employ a simple basedir restriction, in which ?path=/ would refer to the base directory of the user's folder. You could then proceed to strip out all dots (".") from the ?path= variable, so ?path=../ would translate to simply ?path=/ using a simple str_replace call. A combination of the 2 is obviously optimal, and the first one is more of a temporary patch than a fix Quote Link to comment Share on other sites More sharing options...
networkthis Posted February 24, 2008 Author Share Posted February 24, 2008 First off thank you for such a quick response...Amazing!!! Second the first option would work like you said...however there are a ton of folders...I guess they should all be chmoded anyways for security...most are already...thanks for reminding me of the obivious of which I have obvioulsly forgotten!!! The second option--sounds great but like I said I am very new to this...I can get it to work if I simply remove the whole function aspect function showContent($path){ and a few additional lines...However I then lose the functions of opening the new folders and showing the content in the folders--I can still view all files and folders in the main file...It seems like anything additional I try to add to this just crumbles...unless it is html or css!!! Quote Link to comment Share on other sites More sharing options...
Bauer418 Posted February 24, 2008 Share Posted February 24, 2008 What you should do is trim all dots, slashes, and tildes (. / \ ~) from the beginnings and ends of the $_GET['path'] variable. This should stop the user from getting to folders and files they don't have access to. Quote Link to comment Share on other sites More sharing options...
networkthis Posted February 26, 2008 Author Share Posted February 26, 2008 I finally figured out what I needed to do to make this user not be able to view the lower level directories/files by typing in the ?path=../ to the end of the code... Thanks for viewing and trying to help! To solve I simply did the following: 1. Used str_replace for the actpath 2. Made an auto redirect with the header function if a user tries to view the directories this way (?path=../ -Or anything similar) -- will redirect back ot the main page of the file browser. 3. Pulled half of my hair out trying to figure it out...was actually very simple. Amazing how easy php is once you learn how to use all the functions (and actually can find them!). Thanks for all your help and happy coding Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.