PHP Security Pt 6 Directory Traversal

Directory TraversalIn part 6 of my PHP Security video tutorial I cover a ton of ways hackers attack and how to hold them off. If you missed previous tutorials please watch them first. Here is the first one PHP Security.

In this specific tutorial I will cover:

  • How Spammers take over Comment Boxes
  • The Dangers of Providing Access to your Insert, Delete and Update SQL Querys
  • How Hackers use include and require to attack your site
  • The Damage that can be Done by Directory Traversal
  • How to Stop Directory Traversal Attacks

If you have any questions or comments leave them below. I have some random code that follows the video. It is definitely not secure.

Code From the Video

<title>Open for Monkey Business</title>
// Traversal Attacks are used to access files and directories on the servers file system
// If you provide access to functions that access the file system or don’t set permissions properly you are open to attack
// Unprotected commenting form allows me to blind copy to other emails with %0aBCC:emails
<form action=”sendnote.php” method=”post”>
Name<br />
<input type=”text” size=”20″ name=”FirstName”/><br />
Email<br />
<input type=”text” size=”20″ name=”email”/><br />
Subject<br />
<input type=”text” size=”20″ name=”Subject” id=”Subject” /><br />
Comments<br />
<textarea name=”comments” cols=”16″ rows=”6″></textarea>
<br />
<br />
<input type=”submit” name=”Submit” value=”Submit” />

// ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
// ;
// allow_url_include = Off
// Never allow users to supply info to functions that access the file system
// eval, system, exec, file_get_contents, passthru, include, require, file_put_contents, fopen
// http://localhost/badstuff2.php?language=hackmsg.php%00
if (isset($_GET[‘language’]))
echo “<h2>Hacked</h2><br />”;
$language = $_GET[‘language’];
echo $language . “<br />”;
include( $language . ‘.jpg’ );
if (isset($_GET[‘file’]))
echo “<h2>Get File Contents</h2><br />”;
$file = $_GET[‘file’];
$result = file_get_contents($file);
echo preg_replace(‘%[<?|?>]%’, ‘ ‘, $result);
// Here have execute http://localhost/badstuff2.php?execute=ls%20-la
if (isset($_GET[‘execute’]))
echo “<h2>Get Directory Info</h2><br />”;
$execute = $_GET[‘execute’];
exec($execute, $execarray);
foreach($execarray as $value)
echo $value . “<br />”;
// Here have execute http://localhost/badstuff2.php?execute=set
if (isset($_GET[‘execute’]))
echo “<h2>Get System Info</h2><br />”;
$execute = $_GET[‘execute’];
exec($execute, $execarray);
foreach($execarray as $value)
echo $value . “<br />”;
echo “<h2>Get Passwd File</h2><br />”;
// Now output config files with url encoding
// Here have execute http://localhost/badstuff2.php?execute=cat%20../../../../etc/passwd
// http://localhost/badstuff2.php?execute=cat%20%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
// http://localhost/badstuff2.php?execute=%63%61%74%20%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
exec(execute, $execarraytwo);
foreach($execarraytwo as $value)
echo $value . “<br />”;
// Don’t provide access to functions that interact with the system
// Filter out %, <, >, /, \, ; (%3b), -, ‘, “, &
// The web server should have 1 owner www access to know files outside web server chown www /cgi-bin
// Permissions set to maximum security level 755 chmod 755 file
// Owner Read Write Execute
//   7    4     2      1

9 Responses to “PHP Security Pt 6 Directory Traversal”

  1. Jashid says:

    Hacking really worser than i expected,

    1. How could we restrict access to functions that interact with the system?

    2. How could we Filter out %, , /, \, ; (%3b), -, ‘, “, & ?

    3. How could we set The web server owner permissions?

    • admin says:

      If you host your site with a major hosting company you shouldn’t have any problems with permissions. If you don’t know how to change permissions it’s probably better to leave them alone. For more information on this look up chmod

      As per stopping hackers, you need to use regular expressions to sanitize all user input. A firewall that stands between your site and the server is also a good idea. I use WordPress Firewall for example on all of my WordPress sites

  2. Abdul Rehman says:

    Thanks for nice videos.

    I have a “admin login panel” in my website for which i want to secure my session. I had googled very much but not satisfied with the most solution, Every solution had its own issues.

    I am new to PHP even then i know that sessions are not secure.
    How to make a Bullet Proof Session

    Please Guide Me

    Thanks in Advance.

  3. PKT says:

    Nice videos on security 🙂
    I’ve watched them all now, and I’m anticipating part 7. Gotta say, directory traversal really scared the s*** out of me! I’ve build my first php website, and it has loads of forms, and variables in urls, which I might just loose all together.
    Before I start rebuilding from starch…. do you think my databases are safe for now with sensible practices (really) and filtering all data with….

    function filter($data) {
    $data = trim(htmlentities(strip_tags($data)));
    if (get_magic_quotes_gpc())
    $data = stripslashes($data);
    $data = mysql_real_escape_string($data);
    return $data;

    • admin says:

      If you implement all of the safe guards I described along with HTTPS your sites should be much more secure than most sites. I can’t however make any promises on security issues for legal reasons. Just know that most people developing websites put up next to no screening code to protect against the types of attacks I described. I hope that helps?

  4. Andy W says:

    Brilliant video, I’ve linked to it from my own article on preventing hacking. I found your page whilst researching directory traversal; rather than the usual technical description, your video explains the subject in a way that can be understood, and really highlights the risks (and saves me writing about it!).

    Thanks to your videos I will be reviewing sanitisation in my own scripts. However, the majority of attacks directly target “system” related software or commonly used blog, bbs and shopping cart systems where vulnerabilities have been identified. So I think it is also vital to have a (as you mentioned in comments) firewall/htaccess/web.config set to block as much as possible at the front door.

    • admin says:

      Thank you. I’m glad you enjoyed them. This is a fairly complex subject. I should revisit this topic and optimize my code. There are some security issues I’d like to address since I wrote this.

  5. James says:

    If I have been traversed how would I turn it off?


  1. Tweets that mention PHP Security Pt 6 Directory Traversal | New Think Tank -- - [...] This post was mentioned on Twitter by elearningstarr. elearningstarr said: PHP Security Pt 6 Directory Traversal [...]

Leave a Reply

Your email address will not be published.