security problem in my directory list script!!

lozza1978

Hi all

The function below is working at pulling up the directories from the $base_dir variable, But the problem is when a directory is in another directory the PATH= get added the URL, and is very inscure as a user could type

http://localhost/d0nkillas_home/working-on-open-dir.php?PATH=/test%20folder/../../../../

and get back the the full c:/ drive.

can anyone help me secure this function ?

the function...

function Get_Directory_Listing($path) {
   $base_dir = 'H:/Program Files/Apache Group/Apache2/htdocs/test_data/'; // all paths will be relative to webserver.
   $base_dir = Check_For_Slash($base_dir);
   if ($dir_handle = opendir($base_dir . $path)) {
      while ($file = readdir($dir_handle)) {
         $path = Check_For_Slash($path);
         if (($file != ".") && ($file != "..")) {
            chdir($base_dir . $path);
            if (is_dir($file)) {
            	echo "<form action =''  method='post'>";
               print("<A HREF='" . $_SERVER["PHP_SELF"] . "?PATH=" . $path . $file . "'>
               <IMG BORDER='0' SRC='images/dir.gif'> " . $file . "</IMG></A><BR>");
            }
         }
      }
      closedir($dir_handle);
   }
}

thanks for reading my post

NogDog

How about adding this early in the function:

if(strpos($path, '/..') !== FALSE)
{
  user_error("Invalid path", E_USER_WARNING);
  return(FALSE);
}

lozza1978

is there any other way to get behind the root directory ? or is /../ the only one.?

NogDog

lozza1978 wrote:
is there any other way to get behind the root directory ? or is /../ the only one.?

Not that I can think of, since you're appending the input path value onto the basedir value that you explicitly define.

Weedpacket

Or, better yet, maintain a list of directories people are allowed to access, and only allow access to those directories. Much more reliable than trying to deal with each and every possible attack individually.