SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Apr 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [n00b] mod_rewrite to prevent directory traversal attacks

    Hi there!
    I am totally new to the security field.
    I have a simple php script that tracks my users activities:
    Code:
    $ref=$_SERVER['HTTP_REFERER'];
    $ip=$_SERVER['REMOTE_ADDR'];
    $page=$_SERVER['REQUEST_URI'];
    include("etc/config.mysql.php");
    $conn_visits=mysql_connect($mysql_hostname,$mysql_username,$mysql_password) or die (mysql_error());
    mysql_select_db($mysql_db) or die (mysql_error());
    mysql_query("INSERT INTO `visits` (`id` ,`ip` ,`session`, `page`,`referer` ,`date`) VALUES ( '' , '$ip', '$sid','$page','$ref',  CURRENT_TIMESTAMP)") or die (mysql_error()); 
    mysql_close($conn_visits) or die (mysql_error());

    I noticed that an user tried to load this page: /index.php?dir=../../../../../../../../../../../../..//proc/self/environ%0000

    Code:
    2012-04-15 07:34:26 103.29.196.12 c4ca4bf185f588f6b739952f4f6d15e9  /blog/2012/03/16/index.php?dir=../../../../../../../../../../../../..//proc/self/environ%0000
    2012-04-15 07:34:22 103.29.196.12 b302b847e98edd619b0fd520b95ce69a  /index.php?dir=../../../../../../../../../../../../..//proc/self/environ%0000
    By googling I realised it was an attempt to view private sys informations, called "directory traversal attack".

    My question is, can I prevent this by setting a mod_rewrite instruction to redirect to a given URL all URLs containing "../../"?
    Thank you

    o.

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Actually what you should do is make sure that "?dir=../../../../../../../../../../../../..//proc/self/environ00" didn't work. Most likely it was just an automated bot probing your server. Doing some funky mod_rewrite stuff is not necessary.

    Btw...you could dump the whole "track" user thing. The Web server should already be configured to log every single request for you. It is a lot more efficient letting the web server then constantly opening and closing a connection to the database.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Member
    Join Date
    Apr 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Actually what you should do is make sure that "?dir=../../../../../../../../../../../../..//proc/self/environ00" didn't work. Most likely it was just an automated bot probing your server. Doing some funky mod_rewrite stuff is not necessary.

    Btw...you could dump the whole "track" user thing. The Web server should already be configured to log every single request for you. It is a lot more efficient letting the web server then constantly opening and closing a connection to the database.
    Thank you for reply, logic_earth.

    The /proc/self/environ doesn't work, I checked by myself, maybe the mod_rewrite thing could be a "general" solution for that attack, but I repeat, I am totally new with these things, so my question is still active.

    The point of php script is: the hosting service (~15$/year) doesn't show me apache logs and the site itself has poor traffic (5/10 users per day); I use that script mostly to check social networks and sites my users come from; keywords etc are tracked with google webmaster's tools

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,604
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    oal,

    Are you using Magic Quotes? Are they enabled (see your phpinfo() printout)? If they are, disable them ASAP!

    Other than that, l_e's statement that $dir is doing nothing is valid so you can consider this to be a clumsy hack-attack by a "script kiddie."

    Once you're past that, consider yourself lucky as you've opened yourself to SQL-injection attacks by not using the mysqli_real_escape_string on the values obtained as input (okay, I believe it's just the HTTP_REFERER in this case) which can be modified by the visitor to change the mysqli_query string to get sensitive data from the MySQL server. In other words, please read the first few posts of the Sticky on resources 'cause your PHP is simply NOT secure.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  5. #5
    SitePoint Member
    Join Date
    Apr 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dklynn View Post
    oal,

    Are you using Magic Quotes? Are they enabled (see your phpinfo() printout)? If they are, disable them ASAP!

    Other than that, l_e's statement that $dir is doing nothing is valid so you can consider this to be a clumsy hack-attack by a "script kiddie."

    Once you're past that, consider yourself lucky as you've opened yourself to SQL-injection attacks by not using the mysqli_real_escape_string on the values obtained as input (okay, I believe it's just the HTTP_REFERER in this case) which can be modified by the visitor to change the mysqli_query string to get sensitive data from the MySQL server. In other words, please read the first few posts of the Sticky on resources 'cause your PHP is simply NOT secure.

    Regards,

    DK
    Ok, thank you very much, nice to learn something new!

    oal


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •