Directory traversal vulnerability

I have come across a security issue on a linux web server.  If someone enters the following in the address bar of a web browser:

http://web.page.com/index.php?page=../../../../../../etc/passwd

They can view this file.  I have since removed the web server from public access.  The php script was internally created to be a helpdesk support site.  What can be done to the server to make sure no one can call this command and view other directories on the server?
the-mizAsked:
Who is Participating?
 
sakmanConnect With a Mentor Commented:
In your php.ini you could set the open_basedir to your www root.

The open_basedir directive "Limit the files that can be opened by PHP to the specified directory-tree".
0
 
the-mizAuthor Commented:
See attached image as there is a special character at the end of the address.
Image2.jpg
0
 
the-mizAuthor Commented:
Thanks!
0
 
sakmanCommented:
You're welcome.

You could also check safe_mode (http://php.net/safe_mode)
and open_basedir (http://php.net/open-basedir).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.