For a security of Web server , the Web content appropriate access control is crucial. Directory traversal is a security vulnerability Http exists, which allows an attacker to access restricted directories, and execute commands other than the root directory of your Web server.
Web servers provide two main levels of security mechanisms:
- Access Control Lists - ACL is what we often say
- Root access
Access control list for the authorization process, it is the administrator of a Web server used to describe what the user or groups of users to access, modify and execute a list of some of the files on the server, but also contains a number of other access content.
The root of the server's file system in a particular directory, it tends to be a limit, users can not access any content located on this directory.
For example: in Windows the IIS default root directory is C: \ Inetpub \ wwwroot, the user Once the ACL is checked, you can access the C: \ Inetpub \ wwwroot \ news directories, and other is located in the root directory of all of the following directories and files, but can not access the C: \ Windows directory.
There is the root of some of the key can prevent users to access files on the server, such as the Windows platform on cmd.exe or Linux / Unix password file on the platform.
This vulnerability may exist in the Web server software itself, may also be present in the code for the Web application.
To perform a directory traversal attack, the attacker need is a web browser, and you can have some knowledge about the position of some default files and directories that exist in the system.
If your site is the existence of this vulnerability, an attacker can use it to do something?
Exploit this vulnerability, an attacker can get out the root directory of the server, so access to other parts of the file system, for example, the attacker will be able to see some of the restricted file, or more dangerous, an attacker can cause the entire system to perform some crashes instruction.
Dependent on the web site is how to set up access, the attacker can fake the user to other sites to perform the operation, and this system is dependent on the user to Web sites is how authorization.
Examples of (1) the use of Web application code directory traversal attacks
In Web applications with dynamic pages, enter often obtained by method GET or POST requests from the browser, the following is a GET request example of Http URL:
http://test.webarticles.com/show.asp?view=oldarchive.html
With this URL, the browser sends a request for a dynamic page show.asp to the server, and is associated with view parameters oldarchive.html when requested to perform the Web server side, from the file system will show.asp server get oldarchive.html file, and returns it to the client browser, the attacker can assume show.asp can get files from the file system and prepare the following URL:
http://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini
So, this can be obtained from the file system system.ini file and returned to the user .. / meaning here Needless to say, I believe we all understand. The attacker has to guess how many layers require up to find the Windows directory, but can imagine, this is not difficult, after several attempts will always be found.
(2) the use of Web server is instantiated directory traversal attacks:
In addition to the code for the Web application, Web server itself may not be able to resist directory traversal attacks. This may exist in the Web server software or some sample scripts stored on the server.
In a recent Web server software, this problem has been resolved, but many Web servers on the Internet are still using the old version of IIS and the Apache , and they may still can not resist such attacks. Even if you use this vulnerability has been resolved versions of Web server software, you may still have some hacker is obvious there sensitive default script directory.
For example, following a request URL, it uses the IIS scripts directory to the mobile directory and execute command: HTTP: //server.com/scripts/..%5c../ Windows /System32/cmd.exe?/c+ dir + c: \
This request will return C: \ list of all files in the directory, it makes by calling cmd.exe and then use the dir c: \ implemented,% 5c is a web conversion symbol server, used to represent some common characters, represented here It is "\"
The new version of the Web server software checks the conversion operation by restricting them, but for some older versions of the server software still have this problem.
How to determine whether there is a directory traversal vulnerability?
The best way is to use a Web vulnerability scanner, Web vulnerability scanner can traverse all directories of your Web site to determine whether there is a directory traversal vulnerability, if it would be reporting this vulnerability and give a solution, in addition to a directory traversal vulnerability outside , Web application scanning can also check the SQL injection, cross-site scripting and other vulnerabilities.
"Directory traversal" In fact, it can not be regarded loophole, because it is a key feature of IIS. After the hook in IIS this option, users can access files through the Web site in the form of a directory, this function is commonly used to share files. However, due to negligence or lack of administrator experience, open the site in this feature, which is a fully-fledged big loopholes.