On 4 August 2010 10:44, Nicholas Bohm <span dir="ltr"><<a href="mailto:nbohm@ernest.net" target="_blank">nbohm@ernest.net</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Matthew Pemble wrote:<br><br>
</div><div> Or is the point that people are becoming confused between URL<br>
> truncation and a "Directory Traversal Attack", using the well-known<br>
> '/../' syntax (just the same as, at the time, appending '.' to a .php<br>
> URL often gave you the script source rather than the product)?<br>
> Although Peter's pdf doesn't make it clear although other<br>
> contemporaneous sources<br>
> (<a href="http://www.samizdata.net/blog/archives/008118.html" target="_blank">http://www.samizdata.net/blog/archives/008118.html</a>) do mention the<br>
> method.<br>
<br>
</div>Yes, I certainly confused the two. What exactly does the "/../" syntax<br>
do, and why does it matter to the host? (The article you link isn't<br>
explicit enough for me to follow.)<br></blockquote><div><br>Apologies to those folks on-list for whom this is sucking on a "thousand year egg".<br><br>"Directory Traversal" is a penetration testing technique where you attempt to gain access to parts of the server file system that are not supposed to be shared online - in this case ones outside of the context of the web-server files. <br>
<br>".." normally (i.e. in common Unix and Microsoft filesystems) means "parent directory" - so "cd .." should take you back up one level in the filesystem. However. a well-engineered (and configured) webserver should never provide information outside of the "webroot" - either returning an error (RFC compliant behaviour - I'd guess at a 403 error) or simply returning the default page (normal behaviour).<br>
<br>However, IIS 4 and 5 had a number of problems that Microsoft classified variously as "<font size="2">File Permission Canonicalization</font>" and <font size="2">"Web Server Folder Traversal" patched from Aug 2000 to Aug 2001 (although the first patch was against a completely different problem.) Essentially, if you encoded '/..' in Unicode and included it in a URL, you could would be returned files outside of the webroot, including critical system configuration files and you could also run programs on the local machine.<br>
<br>At the time, a well known vulnerability and, I believe, exploited by the Nimda worm.<br></font></div></div><br clear="all"><br>-- <br>Matthew Pemble<br><br><br>