Level 28
Are you trying to warn us or do you have a question about it?
Oct 17, 2019
6
Level 4
Dot Dot Slash Attacks
In one of my applications there was recently a security audit and directory traversal came up. In one package I'm using, one method allows you to download a file from a specified path, however this path is exposed in a GET request.
So, you can append ../../../../../ until you reach the root of the server, which is awful.
A code example
return response()->download("../.env");
As there is no protection in place, this will break out of the public folder and actually download the .env file.
I've read this could be avoided by using realpath() and doing some comparison but my attempts have been unsuccessful.
$query_string = $validated_data['q'];
$laravel_root = base_path();
$user_real_path = realpath($query_string);
dd($user_real_path);
if ($user_real_path === false || strpos($user_real_path, $laravel_root) !== 0) {
dd('traversal');
} else {
dd('!traversal');
}
Level 4
It'd be both. If you're using Laravel Filemanager by Unisharp it allows a user to perform a Dot Dot Slash attack if you have no protection in place, but only because the download function accepts a user supplied path.
Is this preventable?
Level 15
You could make a custom validation to validate against the ../'s that traverses outside your applications scope
Level 102
You might be able to fix it in your webserver as well
Nginx for example https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/
Level 7
This is also a good example on why you should do permissions right and not go, ah screw it It's hard to setup. 777 it is.
:P
Level 102
Any why the www user should never be sudo
1 like
Please or to participate in this conversation.