What is root directory of web server ?
It
is a specific directory on server in which the web contents are placed and can
be seen by website visitors. The directories other that root may contain any
sensitive data which administrator do not want visitors to see. Everything
accessible by visitor on a website is placed in root directory. The
visitor can not step out of root directory.
What does ../ or ..\ (dot dot slash) mean ?
The ..\
instructs the system to go one directory up. For example, we are at this
location C:\xx\yy\zz. On typing ..\ , we
would reach at C:\xx\yy.
Again on
typing ..\
, we would rech at C:\xx .
Lets again go at locatio n C:\xx\yy\zz. Now suppose we
want to access a text file abc.txt placed in folder xx. We can
type ..\..\abc.txt . Typing ..\ two times would take us two directories up
(that is to directory xx) where abc.txt is placed.
Note : Its ..\ on windows and ../ on UNIX like operating system.
The goal of this attack is to access sensitive files placed
on web server by stepping out of the root directory using dot dot slash .
Example of a directory
traversal attack via web application code
In order
to perform a directory traversal attack, all an attacker needs is a web browser
and some knowledge on where to blindly find any default files and directories
on the system.
The following example will make clear everything
Visit this website vulnerable to directory transversal attack
http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=notification.php
This webserver is running on
UNIX like operating system. There is a directory 'etc' on unix/linux which
contains configration files of programs that run on system. Some of the files
are passwd,shadow,profile,sbin placed in 'etc' directory.
The file etc/passwd contain the login names of users and even passwords
too.
Lets try to access this file on webserver by stepping out of the root
directory. Carefully See the position of directories placed on the
webserver.
We do not
know the actual names and contents of directories except 'etc' which is default
name , So I have
marked them as A,B,C,E or whatever.
We are in directory in F accessing the webpages of website.
Lets type this in URL field and press enter
http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=etc/passwd
This will search the directory
'etc' in F. But obviously, there is nothing like this in F, so it will return
nothing
Now type
http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../etc/passwd
Now this will step up one
directory (to directory E ) and look for 'etc' but again it will return
nothing.
Now type
http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../etc/passwd
Now this will step up two directories (to directory D ) and look for 'etc' but again it will return nothing.
So by proceeding like this, we
we go for this URL
http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../../../../etc/passwd
It takes us 5 directories up to
the main drive and then to 'etc' directory and show us
contents of 'passwd' file.
To understand the contents of
'passwd' file, visit
http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/
You can also view etc/profile ,etc/services and many others files like backup files which may contain sensitive data. Some files like etc/shadow may be not be accessible because they are accesible only by privileged users.
Note- If proc/self/environ would be accessible, you might upload a
shell on server which is called as Local File Inclusion.
Counter Measures
1. Use the latest web server software
2. Effectively filter the user's input
Please Leave Your Comments
