unauthorised writing to folder below webroot

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
divedj
Forum Commoner
Posts: 47
Joined: Wed Dec 29, 2010 4:32 am
Location: Malta

unauthorised writing to folder below webroot

Post by divedj »

Hi everybody,
I've got a security problem with a download folder below the webroot. This folder contains subfolders where customers get access to their purchased items after payment.
Somehow, somebody is able to write to this download folder and fill it up with empty subfolders.

Here is the code I am using to write the customers items to there subfolders.

Code: Select all

        function prepareDl($customerNo, $cart_items)
        {
            //directory definition from to
            $prev = "../../";
            $dir = DL_BASE."DJPdl_".substr($customerNo, 0,8);
            $sourceDir = $prev.$dir."/";
            $dlDir = $dir."/";
            $baseDir = "../../content/album/source/";
            
            //checking the directory string for valid characters and create if not already exists
            if(!is_dir($dir))
            {
                if(preg_match("/^[a-z0-9_.\/\s]+$/i", $dir))
                {
                    mkdir($dir, 0755);
                }
                else
                {
                    $msg = "Error creating a customer subdirectora $dir!";
                    email::errorMsg($msg);
                    exit;
                }

            }

            $i = 0;

            foreach($cart_items as $item)
            {
                if(!copy($item, str_replace($baseDir, $dlDir, $item)))
                {
                    $success_msg .= "An error occured. Could not copy ".$item.".";
                }
                else
                {
                    $i++;
                }
            }
            if($i < count($cart_items))
            {
                email::errorMsg($success_msg);
            }
            return $i;
Even checking the directory string I am getting things like
DJPdl_ Ans:ws or DJPdl_An

Code: Select all

:js
written to it.

The directory root being written to is below the webroot like /root/something/temp/downloads.

Any ideas to stop unauthorised writing to the directory would be great.

Thanks
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: unauthorised writing to folder below webroot

Post by Mordred »

Funny, the substr shouldn't allow what you observe. Are you sure this is the only call to mkdir() you make?
Also, you shouldn't allow . and \ in folder names.
Do $cart_items contain user input?
divedj
Forum Commoner
Posts: 47
Joined: Wed Dec 29, 2010 4:32 am
Location: Malta

Re: unauthorised writing to folder below webroot

Post by divedj »

First thanks for your reply.

It is definitly the only call to mkdir.

I could check the directory to create before I combine it with the directory base string which would allow to take / and . out of preg_match.

$cart_items does not hold any user input. The content get pulled out of a db table which I checked also for unauthorised entries. However the table is clean.

The information used to create the directory is coming from a table where only a payment processor is writing to with no user input at all.

That's why I am quite a bit puzzled on the matter.

I am very open to any ideas.

Thanks again
divedj
Forum Commoner
Posts: 47
Joined: Wed Dec 29, 2010 4:32 am
Location: Malta

Re: unauthorised writing to folder below webroot

Post by divedj »

I think I got it.

Since I added a htaccess file with a deny statment, it looks like the unauthorised writing stopped. At least for now.
Since the effected folder is lying below the webroot I didn't think of adding a htaccess file. However, it looks like it did the job.

As sugggested from Mordred, I did remove . and / from the preg_match statment.

Thanks to all the ones looking in to the problem.
Post Reply