SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 31 of 31
  1. #26
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,271
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    Whoa! Interesting thought

    Does (.*) produce a directory traversal attack?

    Such as mydomain.com/../test.php
    Interesting idea. Why don't you try it and let us know.
    "First make it work. Then make it better."

  2. #27
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,136
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jeff Mott View Post
    Interesting idea. Why don't you try it and let us know.
    I was at work so I couldn't. I'm trying it now though

  3. #28
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,136
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    I was at work so I couldn't. I'm trying it now though
    And the results!

    If your htaccess is in a sub-directory, yes, it can produce a directory traversal attack on your web accessible files (you could load a file that is outside of a directory the user may be keeping you in). If it is in the root, it is unlikely (I won't say it can't just because my local environment didn't permit it) and you may end up with a 500 Internal Server Error

  4. #29
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,271
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    And the results!

    If your htaccess is in a sub-directory, yes, it can produce a directory traversal attack. If it is in the root, it is unlikely (I won't say it can't just because my local environment didn't permit it) and you may end up with a 500 Internal Server Error
    Just to make sure we're clear, were you able to access a file outside the document root? Or could you only access a URL path that was already publicly accessible?
    "First make it work. Then make it better."

  5. #30
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,136
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jeff Mott View Post
    Just to make sure we're clear, were you able to access a file outside the document root? Or could you only access a URL path that was already publicly accessible?
    Sorry, that wasn't as clear as I should have been, here is what I was able to accomplish

    Web setup:
    / - root
    /blog/ - subdirectory

    I had a file outside of root named bad.php that was not "web" accessible, I was unable on my local setup to access that (it produced a 500 Internal Server error) just with the rewriterule we produced in this thread regardless of which directory the .htaccess file was in.
    Code:
    RewriteEngine on
    # if a directory or a file exists, use it directly
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    
    # take the url and append .php to it
    RewriteRule ^(.*)$ $1.php
    I also had bad.php in the root directory, and when the .htaccess file is in the /blog/ directory, I could access bad.php in the root directory (but I kind of expected that).

    I then made blog a subdomain and accessed it via the subdomain trying to access bad.php one level up (it also produced a 500 Internal Server error for my setup). So in this case, the bad.php is "web" accessible, but not to the subdomain.

    So to sum up:
    mydomain.com/test - works
    mydomain.com/bad - works (this is for the blog directory and subdomain test)
    mydomain.com/../bad - 500 Error
    mydomain.com/blog/test - works
    mydomain.com/blog/bad - 404 Error (file doesn't exist)
    mydomain.com/blog/../bad - works
    blog.mydomain.com/test - works
    blog.mydomain.com/../bad - 500 Error
    blog.mydomain.com/bad - 404 Error (file doesn't exist)

    So my conclusion is, the only thing the catch all allows you to do (which is doable anyway -- so don't take offense!) is it does allow ../ in your URL to traverse to a directory you already have access to via the web.

    YMMV so I highly recommend others to do their own tests too, but it looks to be "safe" for this scenario

  6. #31
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,136
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    One other slight "weirdness" (is that a word?) that I can't quite explain is the following:
    Reviewing the rewrite logs, the /blog/../bad doesn't invoke the rewrite rule, so the browser or apache must be intercepting the ../ before the rewrite rule takes place...
    The access.log for these instances only shows a request for /bad, does not show /blog/../bad

    Again, just an interesting observation.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •