Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

[Adrian Hayter]

>> Consider that the url http://example.com/stuff/morestuff/ pointed to
>> the location /var/www/example.com/public/stuff/morestuff/ on a server.
>> Doing a directory traversal on the url (such as:
>> http://example.com/stuff/morestuff/../../../ ) would (on some insecure
>> servers) get the location /var/www/example.com/. Now we know from the
>> previous location that the directory 'public' is contained here, but
>> so could some other directories, such as 'logs' or even important
>> private information.
>> 
>> As you can see, this would matter to the host, since a lot of
>> webservers are configured to display the contents of directories when
>> they do not come across a specified index file (such as index.html or
>> index.php). If you have a folder that is meant to be publicly
>> accessible, you do not want people to be able to traverse out of that
>> directory and into one that contains private data.
> 
> Most helpful - thank you.
> 
> Taking the above example, could you explain the difference in effect
> between http://example.com/stuff/morestuff/../../../ and
> http://example.com/ <http://example.com/stuff/morestuff/>?  Do they not
> lead to the same location on the server, namely /var/www/example.com/?
> 
> Nicholas
> -- 
> Contact and PGP key here <http://www.ernest.net/contact/index.htm>

Since ../ means "go up one directory in the tree", it is perhaps simpler to imagine that you are at the url http://example.com/stuff/morestuff/ and are applying these ../ 'commands' one by one. So we are at the url, and we are going to apply ../ three times. Currently we are in the directory 'morestuff', and so applying the first ../ will take up up one directory to 'stuff'. The second ../ will take us up another level to the root directory of example.com. The third ../ will then take us up a further directory, but this can't be represented as a url, because we are going above the url root as it were, and into the realm of the actual filesystem itself.

If the url http://example.com/ points to /var/www/example.com/, then the following is true (assuming the webserver is set up in a simple manner):

http://example.com/stuff/morestuff/ => /var/www/example.com/stuff/morestuff/
http://example.com/stuff/morestuff/../ => /var/www/example.com/stuff/
http://example.com/stuff/morestuff/../../ => /var/www/example.com/
http://example.com/stuff/morestuff/../../../ => /var/www/

So whilst http://example.com/stuff/morestuff/../../ points to the same thing as http://example.com/, three directory traversals will go up even further.

On most webservers I've come across, there are systems in place to prevent this, and it doesn't matter how many times you add an extra ../, the furthest you can traverse is to the root of the actual URL (i.e. http://example.com). As a matter of interest, I applied this to my own website, and if you visit this link: http://adrianhayter.com/documents/../../../../ you should get the homepage (i.e. http://adrianhayter.com). Adding extra ../ doesn't change this behaviour.

-Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100804/e4c9bf77/attachment-0001.htm>