URL security hole fixing '../'

Question

I have facing an issue of URL routing in PHP.

In my localhost I have two project directory:

1. project_one:
  - index.php
  - other_directorys
1. hacking_script:
  - index.php
  - database_dump.php

when I have to access my project_one I go with localhost/project_one this work correct. But when I have input in this localhost/project_one/../../hacking_script it's open localhost/hacking_script/index.php file.

So how to prevent it, I didn't get any idea. Can I use .htaccess to prevent it? If yes then how?

yes, when i type `localhost/project_one/../../hacking_script` then it redirect to `localhost/hacking_script/` not came into my `project_one` index.php file — Himanshu, May 02 '16 at 11:05
Show your full `.htaccess` and `index.php` or the routing script. — Praveen Kumar Purushothaman, May 02 '16 at 11:05
i have just plain `index.php` and i don't use `.htaccess` in this project — Himanshu, May 02 '16 at 11:07
That's how the URLs work. Nothing to prevent it. It is the expected behaviour. — Praveen Kumar Purushothaman, May 02 '16 at 11:09
Try this: http://stackoverflow.com/users/../questions/36980771/url-security-hole-fixing — Praveen Kumar Purushothaman, May 02 '16 at 11:10

score 2 · Answer 1 · edited May 23 '17 at 12:15

2

If you are speaking about routing, you are speaking about this:

Request -> Router -> GetController -> ExecuteAction

This means GetController will most likly include or require some files... There is the part, you need to make sure, it is only requiring allowed files. For example with a whitelist (Which is the recommended way). Or make sure, that no special characters like ../ are allowed.

edited May 23 '17 at 12:15

Community

1
1

answered May 02 '16 at 13:17

Christian Gollhardt

16,510
17
74
111

Actually this was my first answer. Then I understood the question in detail and changed my answer. :) – Praveen Kumar Purushothaman May 02 '16 at 13:29

Praveen Kumar Purushothaman · Accepted Answer · 2016-05-02T11:11:22.777

1

This is how URLs work in browser. If you have this question's site:

http://stackoverflow.com/questions/36980771

And if you try:

http://stackoverflow.com/users/../questions/36980771

This will redirect to the same page. This is Status By Design.

edited May 02 '16 at 11:11

answered May 02 '16 at 10:58

Praveen Kumar Purushothaman

164,888
24
203
252

not by behaviour but if you hacked some your project `project_one` main directory `www` & you create directory like `hacking_script` and you put some code like `var_dump($_SESSION)` or `var_dump($_COOKIE)` then it also output the whole session or cookie value set in `project_one` – Himanshu May 02 '16 at 11:18
I finalize that thing, you're right.!!. Ty for your time:) – Himanshu May 02 '16 at 12:48
Maybe status by design for stackoverflow. But it's not the case, for every software. Imagine `http://example.com/../php/php.ini` will somehow routed to `require('../php/php.ini')` – Christian Gollhardt May 02 '16 at 13:28
@ChristianGollhardt Depends. – Praveen Kumar Purushothaman May 02 '16 at 13:29

URL security hole fixing '../'

2 Answers2