restricting/securing filebrowser in php

Question

I've built my filebrowser so far but it's pretty insecure. For example when you insert "?dir=../" or "?dir=../../../" you can view files you shouldn't be able to. My code:

<?php
    if(isset($_GET['dir']) && $_GET['dir'] !== "../") {$dir = $basedir.$_GET['dir']."/";} else {$dir = $basedir;}
    if ($handle = opendir($dir)) {
        if(isset($_GET['dir']) && $_GET['dir'] !== "") {echo "<a href='?dir='>back to root</a>";}
        while (false !== ($file = readdir($handle))) {
            if ($file != "." && $file != "..") {
                if(filetype($dir . $file) == "file") {$filetype = what_suffix($file);} else {$filetype = "-";}
                if(filetype($dir . $file) == "file") {$filesize = round( filesize($dir . $file)/1024/1024 ,2)." MB";} else {$filesize = "-";}
                if(filetype($dir . $file) == "file") {$filedate = date("d.m.Y H:i:s", filectime($dir.$file));} else {$filedate = "-";}
                if(filetype($dir . $file) == "file") {
                echo(
                    "<tr>
                        <td><a href='?dir=".@$_GET['dir']."&file=".$file."'>".$file."</td>
                        <td>".$filetype."</td>
                        <td>".$filesize."</td>
                        <td>".$filedate."</td>
                    </tr>"
                ); } else {
                echo(
                    "<tr>
                        <td><a href='?dir=".@$_GET['dir']."/".$file."'>".$file."</td>
                        <td>-</td>
                        <td>-</td>
                        <td>-</td>
                    </tr>"
                ); }


            }
        }
        closedir($handle);
    }
?>

Is there a way I could restrict that? (I guess I just don't see the wood for the trees)

Once you have your relative path from the user, append it to their filestore root, and then run [realpath()](http://uk3.php.net/realpath) on it - and check that it begins with their filestore root. — halfer, May 27 '12 at 18:35
This is also vulnerable to XSS via filename / directory name. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet — Cheekysoft, May 28 '12 at 08:59

score 1 · Accepted Answer · answered May 27 '12 at 18:29

Here is a basic security check I have used for such things.

function isSecurityViolation($dir) {
    if (preg_match('#https?://#i', $dir)) {
        return true;
    }

    // no directory traversal attempts
    if (strpos($dir, '../') !== false) {
        return true;
    }

    if (strpos($dir, "\x00") !== false) {
        return true;
    }

    if (strpos($dir, '%00') !== false) {
        return true;
    }

    return false;
}

It checks for the following violations:

Attempting to open an http or https URL
Directory traversal using ..
Null character checks which can allow malicious urls to pass certain functions

Somewhere towards the beginning of your script, you could call:

if (isSecurityViolation($dir)) {
    die('No soup for you.');
}

At a minimum, this is still potentially vulnerable to a number of multi-byte character attacks. Prefer a whitelist approach wherever possible. A blacklist like this is always unlikely to contain a complete list of every possible attack vector. — Cheekysoft, May 28 '12 at 08:58

restricting/securing filebrowser in php

1 Answers1