Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Directory traversal vulnerability

Posted on 2011-09-23
4
Medium Priority
?
398 Views
Last Modified: 2012-05-12
I have come across a security issue on a linux web server.  If someone enters the following in the address bar of a web browser:

http://web.page.com/index.php?page=../../../../../../etc/passwd

They can view this file.  I have since removed the web server from public access.  The php script was internally created to be a helpdesk support site.  What can be done to the server to make sure no one can call this command and view other directories on the server?
0
Comment
Question by:the-miz
  • 2
  • 2
4 Comments
 

Author Comment

by:the-miz
ID: 36587813
See attached image as there is a special character at the end of the address.
Image2.jpg
0
 
LVL 4

Accepted Solution

by:
sakman earned 2000 total points
ID: 36588008
In your php.ini you could set the open_basedir to your www root.

The open_basedir directive "Limit the files that can be opened by PHP to the specified directory-tree".
0
 

Author Comment

by:the-miz
ID: 36588381
Thanks!
0
 
LVL 4

Expert Comment

by:sakman
ID: 36588453
You're welcome.

You could also check safe_mode (http://php.net/safe_mode)
and open_basedir (http://php.net/open-basedir).
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Change in PHP Behavior with Session Write Short Circuit (http://php.net/manual/en/book.session.php#116217) (Winter 2014)** With the release of PHP 5.6 the session handler changed in a way that many think should be considered a bug.  See the note …
You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month11 days, 21 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question