hello
Is there a method to forbid an attacker to exploit download.php
in grabbing some "sensitive" file ?
I mean using that kind of trick
download.php?filename=../../../../../../../../../../../../et c/passwd
thanks you
Frank Mutze wrote:
> hello
>
> Is there a method to forbid an attacker to exploit download.php
> in grabbing some "sensitive" file ?
>
> I mean using that kind of trick
>
> download.php?filename=../../../../../../../../../../../../et c/passwd
>
> thanks you
1. Validate the path and filename being downloaded
2. Don't run the webserver as root
3. Let Unix security help you.
Or, better yet - don't let them input the filename being downloaded. Rather,
give them a list of files and let them select. But don't give them the
filenames themselves - just descriptions. Look up the filenames when they
select which file they want to download.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
On Wed, 29 Mar 2006 11:31:46 +0200, Frank Mutze wrote:
> hello
>
> Is there a method to forbid an attacker to exploit download.php in
> grabbing some "sensitive" file ?
>
> I mean using that kind of trick
>
> download.php?filename=../../../../../../../../../../../../et c/passwd
Use http://uk.php.net/realpath to convert it to a normal path and then use
one of the many string comparing functions to check it's within your
acceptable path.
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos
"Frank Mutze"
news:e0dk62$hkc$1@s1.news.oleane.net...
> hello
>
> Is there a method to forbid an attacker to exploit download.php
> in grabbing some "sensitive" file ?
>
> I mean using that kind of trick
>
> download.php?filename=../../../../../../../../../../../../et c/passwd
>
> thanks you
Jerry already suggested a good way, but you can also try it with a checksum
to see that you did generate the filename by recalculating the check.
Say you'r filename is 'validfile.pdf'. You calculate a checksum for it, for
example by prepending a static password and md5'ing it.
$filename = 'validafile.pdf';
$checksum = md5($filename.'supercalifragislisticexpialidocious');
Then echo the link:
download.php?filename=$validfile.pdf&checksum=$checksum
In download.php before outputting the file, you recalculate the checksum the
same way and compare it to given checksum
if($_GET[checksum] ==
md5($_GET[filename].'supercalifragislisticexpialidocious'))
if they match, it was indeed a link you generated and a file you generated,
but if it was changed to something like
filename=../../../../../../../../../../../../etc/passwd then the checksums
do not match (or at least the possibility of a false file name matching is
near to non-existing)
I used a scrambler 'supercalifragislisticexpialidocious' here, because
simply md5'ing the filename can be reproduced, but by adding the secret
scrambling key you also ensure that a hacker doesn't outsmart you by also
md5'ing his filename. Without the correct scrambling key the md5 will be
different, and since it's one-way function, you can not reproduce the
scrambling key from the md5 hash.
They way Jerry suggested is easier, but this is another way to achieve it.
--
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirviö
spam@outolempi.net | Gedoon-S @ IRCnet | rot13(xvzzb@bhgbyrzcv.arg)
"Frank Mutze"
news:e0dk62$hkc$1@s1.news.oleane.net...
> hello
>
> Is there a method to forbid an attacker to exploit download.php
> in grabbing some "sensitive" file ?
>
> I mean using that kind of trick
>
> download.php?filename=../../../../../../../../../../../../et c/passwd
>
> thanks you
The easiest way is to remove any path elements that navigate up the
directory structure:
$path=str_replace("../", "", $path);
that would at least keep it within your documentroot. Comparing the
realpath() is the most secure, however.
dave