Directory Traversal, File Inclusion (en)

From OnnoWiki
Jump to navigation Jump to search

Directory Traversal and File Inclusion: Exploring the File System Unexpectedly

What is Directory Traversal?

Directory traversal is a vulnerability in a web application where an attacker can manipulate user input to access files or directories outside of the ones they are supposed to access. Imagine you are walking around a mall, but you can go outside the designated path and enter restricted areas like a warehouse or control room.

Simple Example:

Suppose a web application has a feature to display a user's profile based on an ID. The URL might look like this:

http://example.com/profile?user=123

If the application does not properly validate the user input, an attacker can change the value of user to

../../../../etc/passwd

This way, the attacker can read the passwd file which contains sensitive information about the operating system user.

What is File Inclusion?

File inclusion is a vulnerability where an attacker can force a server to execute a file that it should not. This often occurs when a web application allows users to specify which files to include or require.

Types of File Inclusion:

  • Local File Inclusion (LFI): The attacker forces the server to read and execute a file that resides on the same server.
  • Remote File Inclusion (RFI): The attacker forces the server to read and execute a file from another server.

Simple Example:

Suppose a web application has a feature to display page content based on filename. The URL might look like this:

http://example.com/page?file=home

If the application does not properly validate the file input, an attacker can replace the file value with

../../../../etc/passwd

If the application uses the include or require functions to include files, then the `passwd` file will be read and displayed on the web page.

Combination of Directory Traversal and File Inclusion

Directory traversal attacks are often used as a first step to file inclusion attacks. Once an attacker has successfully located a file containing code, they can include the file to execute their own code.

Example Attack Scenario:

  • Finding File Location: An attacker uses directory traversal to find the location of a PHP configuration file (php.ini) or a log file containing sensitive information.
  • Reading File: An attacker reads the contents of a PHP configuration file to find out the directory where the PHP executable file is stored.
  • Execute Code: Attackers use file inclusion to insert PHP files containing their own malicious code.

Preventing Directory Traversal and File Inclusion

  • Validate Input: Always validate all user input to ensure that it is as expected.
  • Whitelist: Create a whitelist of files and directories that are allowed to be accessed.
  • Relativize Path: Use the functions provided by the programming language to create paths that are relative to the application directory.
  • Disable Functions: Disable risky functions such as include, require, and eval if they are not needed.
  • Chroot Jail: Restrict application access to the file system by using a chroot jail.

Conclusion

Directory traversal and file inclusion are two very common and dangerous vulnerabilities. By understanding how these attacks work, you can take the necessary steps to prevent them from happening to your web applications.

Interesting Links