Solved

Directory traversal vulnerability

Posted on 2011-09-23
4
387 Views
Last Modified: 2012-05-12
I have come across a security issue on a linux web server.  If someone enters the following in the address bar of a web browser:

http://web.page.com/index.php?page=../../../../../../etc/passwd

They can view this file.  I have since removed the web server from public access.  The php script was internally created to be a helpdesk support site.  What can be done to the server to make sure no one can call this command and view other directories on the server?
0
Comment
Question by:the-miz
  • 2
  • 2
4 Comments
 

Author Comment

by:the-miz
ID: 36587813
See attached image as there is a special character at the end of the address.
Image2.jpg
0
 
LVL 4

Accepted Solution

by:
sakman earned 500 total points
ID: 36588008
In your php.ini you could set the open_basedir to your www root.

The open_basedir directive "Limit the files that can be opened by PHP to the specified directory-tree".
0
 

Author Comment

by:the-miz
ID: 36588381
Thanks!
0
 
LVL 4

Expert Comment

by:sakman
ID: 36588453
You're welcome.

You could also check safe_mode (http://php.net/safe_mode)
and open_basedir (http://php.net/open-basedir).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question