Help needed with File Browser script PLEASE!!!

[networkthis]

I am about to lose my mind over this one...I have a script to allow user access to files they have uploaded to a specific directory with the capabilities to browse only to the files in their directory...unless they simply add this in the address bar ?path=../

 

example: http://www.example.com/ownerfiles/useruploads/?path=../

 

They can now access all of my owner files and delete/save them as they wish...

 

Any help to stop this from happening in the script would be great

 

Here is the main filebrowser script:  Please bear with me I am very new to PHP

 

<?php
#*****************************************#
# Check to make sure that the User is      #
# currently logged in            	      #
#*****************************************#
require_once('common.php');
checkUser();

#*****************************************#
# Start of the Function created that will #
# display each row seperately    	      #
# It is broken down into Files/Directorys #
#*****************************************#
function showContent($path){

# Open the Directory Path
if ($handle = opendir($path))
   	{
	#*****************************************#
	# Create an Up one level link and take    #
	# user up one folder -- It currently      #
	# stops at the directory where the main   #
	# file is uploaded into the web directory #
	#*****************************************#
      	$up = substr($path, 0, (strrpos(dirname($path."/."),"/")));
       	echo "<tr><td colspan='2'><img src='../style/up2.gif' width='16' height='16' alt='up'/> <a
	href='".$_SERVER['PHP_SELF']."?path=$up'>Up one level</a></td></tr>
	<tr><td>File Name</td><td>Size</td><td>Modified</td><td>Created</td><td colspan='2'>
	Actions</td></tr>";

while (false !== ($file = readdir($handle)))
    {
  			#*****************************************#
		# Remove Files that are named . , .. and  #
		# any others we wish to add that we don't # 
		# want displayed in the main directory.   #
		#*****************************************#

		if ($file != "." && $file != ".." && $file !="add.php"  && $file !="common.php" && $file !="delete.php" && $file !="download.php"  && $file !="edit.php" && $file !="login.php" && $file !="logout.php" && $file !="microFileBrowser.php" && $file !="opennew_practice.txt" && $file !="register.php" && $file !="index.php"  && $file !=".htaccess")
            {
			# Fname will be used to simply copy the Actual Name of the File!!!
			$fName = $file;

			# Create the path for the file
			$file = $path.'/'.$file;

			#*****************************************#
			# Simply checks to see if the $file is    #
			# actually a FILE.  If it is display the  #
			# following.                              #
			#*****************************************#
			if(is_file($file)) {
                	?><tr><td>
				<?php echo "<tr><td><img src='../style/file2.gif' width='16' height='16' 
				alt='file'/> ".$fName."</td>" ?></td>
    				<td>
<?php
# Take the size of the file and turn it into a variable
$file_size = filesize($file); 

# Take the file_size variable and change it into readable terms--MB, KB, and Bytes
if ($file_size >= 1048576) 
                {echo number_format(($file_size / 1048576),2) . " MB";}
elseif ($file_size >= 1024) 
                { echo number_format(($file_size / 1024),2) . " KB";}
elseif ($file_size >= 0)
			{ echo $file_size . " bytes"; }
else 
                { echo "0 bytes";}

?>
				</td>
  	<td><?php
# List the last modified File Time
echo date("m/d/Y H:i", fileatime($file)); ?></td>
    
    <td><?php 
# List the created File Time
echo date("m/d/Y H:i", filectime($file)); ?></td>
    
    <td><a href="download.php?file=<?php
# List the Path to Download the File and Display the Download Icon
echo ($file); ?>"><img src="../style/icons/save.gif" width="16" height="16"/></a></td>
    
    <td><a href="delete.php?file=<?php 
# List the Path to Delete the File and Display the Delete Icon
echo urlencode($file); ?>"><img src="../style/icons/action_delete.gif" width="16" height="16"/></a>
    </td>
  
  	</tr><?php
       			} 
			#*****************************************#
			# Simply checks to see if the $file is    #
			# actually a DIRECTORY.  If it is display #
			# the following.                          #
			#*****************************************#
			elseif (is_dir($file)) {
		    print "<tr><td colspan='2'><img src='../style/dir2.gif' width='16' height='16' 
			alt='dir'/> <a href='".$_SERVER['PHP_SELF']."?path=$file'>$fName</a></td></tr>";
                }
	}
	}

       closedir($handle);
   	}	

} 

if (isset($_POST['submitBtn'])){
$actpath = isset($_POST['path']) ? $_POST['path'] : '.';	
} else {
$actpath = isset($_GET['path']) ? $_GET['path'] : '.';	
}


?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
   <title>Spec Ops Advantage File Browser</title>
   <link href="../style/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
    <div id="main">
      <div class="caption">Spec OPS Advantage File Browser</div>
     
      <div id="icon2"> </div>

      <div id="actual_path">ACTUAL PATH: <?php echo $actpath ?></div>
      
      <div id="result">
        <table width="100%">
<?php
		showContent($actpath);        
?>
        </table>
     </div>
<div id="source">Spec Ops Advantage</div>
    </div>
</body>   

[Bauer418]

Here are a couple things you could do:

1) chmod the parent level directories to not allow them to do anything to the folder

2) employ a simple basedir restriction, in which ?path=/ would refer to the base directory of the user's folder.  You could then proceed to strip out all dots (".") from the ?path= variable, so ?path=../ would translate to simply ?path=/ using a simple str_replace call.

 

A combination of the 2 is obviously optimal, and the first one is more of a temporary patch than a fix

[networkthis]

First off thank you for such a quick response...Amazing!!!

 

Second the first option would work like you said...however there are a ton of folders...I guess they should all be chmoded anyways for security...most are already...thanks for reminding me of the obivious of which I have obvioulsly forgotten!!!

 

The second option--sounds great but like I said I am very new to this...I can get it to work if I simply remove the whole function aspect function showContent($path){ and a few additional lines...However I then lose the functions of opening the new folders and showing the content in the folders--I can still view all files and folders in the main file...It seems like anything additional I try to add to this just crumbles...unless it is html or css!!!

[Bauer418]

What you should do is trim all dots, slashes, and tildes (. / \ ~) from the beginnings and ends of the $_GET['path'] variable.  This should stop the user from getting to folders and files they don't have access to.

[networkthis]

I finally figured out what I needed to do to make this user not be able to view the lower level directories/files by typing in the ?path=../ to the end of the code...

 

Thanks for viewing and trying to help!

 

To solve I simply did the following:

1. Used str_replace for the actpath

2. Made an auto redirect with the header function if a user tries to view the directories this way (?path=../ -Or anything similar) -- will redirect back ot the main page of the file browser.

3. Pulled half of my hair out trying to figure it out...was actually very simple. Amazing how easy php is once you learn how to use all the functions (and actually can find them!).

 

Thanks for all your help and happy coding