Directory Traversal Attack also known as the ../ (dot dot slash) attack, is an exploit done using "../". This is used to gain access to files and directories which shouldn't otherwise be accessible.
As an example let's consider a PHP script called download.php
, which allows anybody to give it an arbitrary path to be able to download files, stored in a specific directory on the server.
In short, say the directory is called files/
. Thereby download.php?path=image.png
would make you download files/image.png
.
The danger is when someone requests download.php?path=../../secrets.txt
as the server would simply jump out of the files
directory and let the client download the requested file, that shouldn't be accessible.
A simple way to prevent this is to resolve the requested path and check if it's inside the files
directory or not.
$base_path = $_SERVER["DOCUMENT_ROOT"] . "/files/";
$real_base = realpath($base_path);
$user_path = $base_path . $_GET["path"];
$real_user_path = realpath($user_path);
if (($real_user_path !== false) && (strncmp($real_user_path, $real_base, strlen($real_base)) === 0))
{
// This is inside of the "files/" directory
}
else
{
// This is outside of the "files/" directory
}