<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><blockquote type="cite"><div><blockquote type="cite">Consider that the url <a href="http://example.com/stuff/morestuff/">http://example.com/stuff/morestuff/</a> pointed to<br></blockquote><blockquote type="cite">the location /var/www/example.com/public/stuff/morestuff/ on a server.<br></blockquote><blockquote type="cite">Doing a directory traversal on the url (such as:<br></blockquote><blockquote type="cite"><a href="http://example.com/stuff/morestuff/">http://example.com/stuff/morestuff/</a>../../../ ) would (on some insecure<br></blockquote><blockquote type="cite">servers) get the location /var/www/example.com/. Now we know from the<br></blockquote><blockquote type="cite">previous location that the directory 'public' is contained here, but<br></blockquote><blockquote type="cite">so could some other directories, such as 'logs' or even important<br></blockquote><blockquote type="cite">private information.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">As you can see, this would matter to the host, since a lot of<br></blockquote><blockquote type="cite">webservers are configured to display the contents of directories when<br></blockquote><blockquote type="cite">they do not come across a specified index file (such as index.html or<br></blockquote><blockquote type="cite">index.php). If you have a folder that is meant to be publicly<br></blockquote><blockquote type="cite">accessible, you do not want people to be able to traverse out of that<br></blockquote><blockquote type="cite">directory and into one that contains private data.<br></blockquote><br>Most helpful - thank you.<br><br>Taking the above example, could you explain the difference in effect<br>between <a href="http://example.com/stuff/morestuff/">http://example.com/stuff/morestuff/</a>../../../ and<br><a href="http://example.com/">http://example.com/</a> <<a href="http://example.com/stuff/morestuff/">http://example.com/stuff/morestuff/</a>>? Do they not<br>lead to the same location on the server, namely /var/www/example.com/?<br><br>Nicholas<br>-- <br>Contact and PGP key here <<a href="http://www.ernest.net/contact/index.htm">http://www.ernest.net/contact/index.htm</a>><font class="Apple-style-span" color="#000000"><font class="Apple-style-span" color="#144FAE"><br></font></font></div></blockquote><br></div><div>Since ../ means "go up one directory in the tree", it is perhaps simpler to imagine that you are at the url <a href="http://example.com/stuff/morestuff/">http://example.com/stuff/morestuff/</a> and are applying these ../ 'commands' one by one. So we are at the url, and we are going to apply ../ three times. Currently we are in the directory 'morestuff', and so applying the first ../ will take up up one directory to 'stuff'. The second ../ will take us up another level to the root directory of <a href="http://example.com">example.com</a>. The third ../ will then take us up a further directory, but this can't be represented as a url, because we are going above the url root as it were, and into the realm of the actual filesystem itself.</div><div><br></div><div>If the url <a href="http://example.com/">http://example.com/</a> points to /var/www/example.com/, then the following is true (assuming the webserver is set up in a simple manner):</div><div><br></div><div><a href="http://example.com/stuff/morestuff/">http://example.com/stuff/morestuff/</a> => /var/www/example.com/stuff/morestuff/</div><div><a href="http://example.com/stuff/morestuff/">http://example.com/stuff/morestuff/</a>../ => /var/www/example.com/stuff/</div><div><a href="http://example.com/stuff/morestuff/">http://example.com/stuff/morestuff/</a>../../ => /var/www/example.com/</div><div><a href="http://example.com/stuff/morestuff/">http://example.com/stuff/morestuff/</a>../../../ => /var/www/</div><div><br></div><div>So whilst <a href="http://example.com/stuff/morestuff/">http://example.com/stuff/morestuff/</a>../../ points to the same thing as <a href="http://example.com/">http://example.com/</a>, three directory traversals will go up even further.</div><div><br></div><div>On most webservers I've come across, there are systems in place to prevent this, and it doesn't matter how many times you add an extra ../, the furthest you can traverse is to the root of the actual URL (i.e. <a href="http://example.com">http://example.com</a>). As a matter of interest, I applied this to my own website, and if you visit this link: <a href="http://adrianhayter.com/documents/">http://adrianhayter.com/documents/</a>../../../../ you should get the homepage (i.e. <a href="http://adrianhayter.com">http://adrianhayter.com</a>). Adding extra ../ doesn't change this behaviour.</div><div><br></div><div>-Adrian</div></body></html>