Page 1 of 1

unauthorised writing to folder below webroot

Posted: Wed Mar 30, 2011 1:11 am
by divedj
Hi everybody,
I've got a security problem with a download folder below the webroot. This folder contains subfolders where customers get access to their purchased items after payment.
Somehow, somebody is able to write to this download folder and fill it up with empty subfolders.

Here is the code I am using to write the customers items to there subfolders.

Code: Select all

        function prepareDl($customerNo, $cart_items)
        {
            //directory definition from to
            $prev = "../../";
            $dir = DL_BASE."DJPdl_".substr($customerNo, 0,8);
            $sourceDir = $prev.$dir."/";
            $dlDir = $dir."/";
            $baseDir = "../../content/album/source/";
            
            //checking the directory string for valid characters and create if not already exists
            if(!is_dir($dir))
            {
                if(preg_match("/^[a-z0-9_.\/\s]+$/i", $dir))
                {
                    mkdir($dir, 0755);
                }
                else
                {
                    $msg = "Error creating a customer subdirectora $dir!";
                    email::errorMsg($msg);
                    exit;
                }

            }

            $i = 0;

            foreach($cart_items as $item)
            {
                if(!copy($item, str_replace($baseDir, $dlDir, $item)))
                {
                    $success_msg .= "An error occured. Could not copy ".$item.".";
                }
                else
                {
                    $i++;
                }
            }
            if($i < count($cart_items))
            {
                email::errorMsg($success_msg);
            }
            return $i;
Even checking the directory string I am getting things like
DJPdl_ Ans:ws or DJPdl_An

Code: Select all

:js
written to it.

The directory root being written to is below the webroot like /root/something/temp/downloads.

Any ideas to stop unauthorised writing to the directory would be great.

Thanks

Re: unauthorised writing to folder below webroot

Posted: Wed Mar 30, 2011 4:38 am
by Mordred
Funny, the substr shouldn't allow what you observe. Are you sure this is the only call to mkdir() you make?
Also, you shouldn't allow . and \ in folder names.
Do $cart_items contain user input?

Re: unauthorised writing to folder below webroot

Posted: Wed Mar 30, 2011 6:51 am
by divedj
First thanks for your reply.

It is definitly the only call to mkdir.

I could check the directory to create before I combine it with the directory base string which would allow to take / and . out of preg_match.

$cart_items does not hold any user input. The content get pulled out of a db table which I checked also for unauthorised entries. However the table is clean.

The information used to create the directory is coming from a table where only a payment processor is writing to with no user input at all.

That's why I am quite a bit puzzled on the matter.

I am very open to any ideas.

Thanks again

Re: unauthorised writing to folder below webroot

Posted: Thu Mar 31, 2011 8:14 am
by divedj
I think I got it.

Since I added a htaccess file with a deny statment, it looks like the unauthorised writing stopped. At least for now.
Since the effected folder is lying below the webroot I didn't think of adding a htaccess file. However, it looks like it did the job.

As sugggested from Mordred, I did remove . and / from the preg_match statment.

Thanks to all the ones looking in to the problem.