search

AlexDarigan / secureapp

0 stars 0 forks source link

9. Directory Traversal on Yellow File #16

Open AlexDarigan opened 2 months ago

AlexDarigan commented 2 months ago

Vulnerability

Directory Traversal

Description

Directory Traversal is when attackers are able to trawl through the directory structure of a website by accessing them directly, instead of through a routing system or only the allowed files, which can allow attackers direct access to view source code or other sensitive documents stored serverside.

Located

Auth2.php / Auth2

HTTP request type

GET Request

Vunerable parameter / behaviour

The 'FileToView' parameter of Auth2 which allows attackers to access server-side source code

Payload / actions for reproduction

  1. In the URL enter /includes
  2. This displays a list of server-side php files
  3. On the Auth2 page, in the url change the FileToView query parameter to any of the php files
  4. The php source code is now displayed client side

Code Fix

  1. Use a .htaccess to prevent leaking information about server structure
  2. Use an allowlist of files which are valid to view in Auth2
// Allowed files
    // (This also prevents XSS from external sites)
    $allowed = array("yellow.txt")
?>
        <section class="main-container">
            <div class="main-wrapper">
                <h2>Auth page 2</h2>
                <?php
                $ViewFile = $_GET['FileToView'];
                // Only display file if allowed
                if(in_array($ViewFile, $allowed)) {
                    if(file_get_contents ("$ViewFile"))    
                    {
                    $FileData = file_get_contents ("$ViewFile");
                    echo $FileData;
                    }
                    else
                    {
                    echo "no file found";
                    }
            }