Directory Traversal

Directory Traversal Overview

Directory Traversal vulnerabilities occur once again when the user supplied input is not validated. You think we would get tired of saying this, but it appears this is a very common problem with software. A directory traversal exploit typically occurs when the following types of characters are not checked for correctly: . / \
Take for example a url like the following


www.yoursite.com/openfile.php?filename=myfile.txt

This php page is referencing a myfile.txt which it is going to output to the current html page. Seems like this shouldn't be a problem. Except if you are a malicious user. A malicious user would look at this url and instantly an idea would come into his/her head. What if instead of myfile.txt is placed, a ./myfile.txt is inputted directly. Well you would think that should work it's just referencing the same local file, but the problem is the ./ If a ./ is accepted what about a ../ or maybe a ../../
If you are thinking correctly you remember that the ../ references one directory below the current directory. Now taking this into concept and beforing a bit more, a malicious user could input something similar to a ../../system32/cmd.exe which would call the cmd.exe applications within the windows web server. This will have dangerous potential and is a huge security violation.

URLEncoded and other Unicode Variations

Protecting just against the . / and \ is not enough. Malicious users are a smart bunch. They will use URLEncoding and other variations of Unicode to bypass your checking and validation attempts.

How to protect against Directory Traversal attacks

To protect against directory traversal attacks, the developer will need to validate the input correctly against a white list. Now you can't just say no . is allowed, because maybe in this case you might want to allow a . It would be best to use a regular expression to verity the filename passed in. A regular expression can be created to accept only an alpha-numeric filename followed by a . then a three character filename. This would provide some additional protection against the directory traversal attack.

Unfortunately we still need to go another step further. To protect against URLEncoded and Unicode variation attacks you will need to use a URLDecoded function and unicode converter to verify that you are working only with the ASCII set of characters.