From aldeid
Jump to navigation Jump to search
You are here:
Directory Traversal


A directory traversal (or path traversal) attack is the art of exploiting insufficient security validation/sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" ("../" or "..\") are passed through to the URL.

This attack enables one to access files that were not initially intended to be accessible by the application. A very common target is the famous "/etc/passwd file" that provides the attacker with login names, and eventually passwords hashes.

Proof of Concept


WackoPicko suffers from a directory-traversal vulnerability. As you can see in the following portion of code from /pictures/upload.php, there is no proper sanitization of the $_POST["tag"] user input:

$_POST['name'] = str_replace("..", "", $_POST['name']);
$_POST['name'] = str_replace(" ", "", $_POST['name']);
$_POST['name'] = str_replace("/", "", $_POST['name']);
if (!file_exists("../upload/{$_POST['tag']}/"))
  mkdir("../upload/{$_POST['tag']}", 0777, True);
$filename = "../upload/{$_POST['tag']}/{$_POST['name']}";
$relfilename = "{$_POST['tag']}/{$_POST['name']}";

It can enable a malicious users to overwrite any file the web server uses has access to.

Other example

In the example below (you can download the PoC here: http://dl.dropbox.com/u/10761700/poc-directory-traversal.tar.gz), the standard use is to select a file from the dropdown list to display it on the frame below.

Standard usage

This application is vulnerable to a directory traversal attack because:

  • the limitation is only applied on the client side (the dropdown list values could be very easily bypassed by tampering the content of the request)
  • inputs are not properly validated on the server's side (no whitelist of values).

Directory Traversal

How to detect?

How to protect against it?

  • Don't consider these as secure approaches:
    • Concatenate an extension to limit file types (e.g. {$_GET['page']}.txt). This could be bypassed with a NULL byte (%00) at the end of the url. For more information, refer to the examples section.
    • Don't use string patterns such as "../" or "..\" to validate the inputs. Indeed, they could be bypassed by encoding them (URI encodings such as %3e%3e%3f).
    • Don't consider file limitations via client-side controls (dropdown lists, JavaScript controls, ...) because they can be easily bypassed by tampering the request.
  • These approaches are better:
    • chroot (jail) your server installation (e.g. Apache jail)
    • Don't directly process $_GET and $_POST variables. Challenge them against whitelists (e.g. with switch, case, ...). Ignore values out of this whitelist.