PHP file directory guessing vulnerability

No matter how you use the file, you have to specify a filename somewhere. In many cases, the file name is used as a parameter to the fopen () function, and the other function invokes the handle it returns: Shangri-La Casino

<?php$handle = fopen ('/path/to/myfile.txt ', ' R ');? >

When you use contaminated data as part of a file name, the vulnerability arises:

<?php$handle = fopen ("/path/to/{$_get[' filename ']}.txt", ' R ');? >

The likelihood of an attack is limited because in this case the two parts of the path and file name cannot be manipulated by the attacker. However, it is necessary to remember that some attacks use null (represented as%00 in the URL) to terminate the string, which can bypass any file extension restrictions. In this case, the most dangerous attack means is by using multiple: /to ask the superior directory to achieve the purpose of file system spanning. For example, imagine that the value of filename is specified as follows:

Http://example.org/file.php?file ... nother/path/to/file

As with many attacks, if the contaminated data is used when constructing a string, the attacker will be given the opportunity to change the string, which will cause your app to run in a way that you do not want. If you develop a habit of using only filtered data to build dynamic strings, you can prevent many types including many vulnerabilities that you are unfamiliar with.

Because fopen () invokes a file name leading to the static part of the/path/to, the above attack spans the directory more times than needed. Because the attacker is unable to view the source code before initiating the attack, the typical strategy is to repeat it multiple times. /String ... /string use too many times does not destroy the above attack effect, so the attacker does not need to guess the depth of the directory.

In the above attack make the fopen () call run in a way you do not want, it is simplified after the equivalent of:

<?php$handle = fopen ('/another/path/to/file.txt ', ' R ');? >

Many developers who are aware of this problem or encounter an attack will make mistakes that attempt to correct potentially malicious data, sometimes without first checking the data. As described in Chapter One, the best approach is to treat filtering as an inspection process while forcing users to follow the rules you make. For example, if a valid file name contains only letters, the following code can enforce this restriction:

<?php$clean = Array (), if (Ctype_alpha ($_get[' filename ')) {$clean [' filename '] = $_get[' filename '];} else{/*. */} $handle = fopen ("/path/to/{$clean [' filename ']}.txt ', ' R '); >

It is not necessary to escape the filename value because the data is only used in PHP functions and not transferred to the remote system.

The basename () function is useful when checking for unnecessary paths:

<?php$clean = Array (), if (basename ($_get[' filename ') = = = $_get[' filename ']) {$clean [' filename '] = $_get[' filename '] ;} else{/*. */} $handle = fopen ("/path/to/{$clean [' filename ']}.txt ', ' R '); >

This process is a bit less secure than allowing only filenames to be letters, but you're unlikely to be as strict as that. A better defense-in-depth process is a combination of the two methods above, especially if you are using regular expressions to check the legitimacy of your code (rather than using a function ctype_alpha ()).

When the entire tail of a file name consists of unfiltered data, a high-risk vulnerability arises:

<?php$handle = fopen ("/path/to/{$_get[' filename '}", ' R ');? >

Giving attackers more flexibility means more loopholes. In this example, an attacker could manipulate the filename parameter to point to any file in the file system, regardless of the path and file extension, because the file extension is part of $_get[' filename '. Once the Web server has permission to read the file, the processing will be directed to the file specified by the attacker. This type of vulnerability can become even larger if the leading part of the path uses contaminated data.

PHP file directory guessing vulnerability