2

I ran a Gray Box Assessment test for an application i developed and i have some vulnerabilities, specific a Path Manipulation in the Input Validation Category.

I have in my code:

if (move_uploaded_file($_FILES["file"]["tmp_name"],"contacts_load/" . $fileName)) {
    if ($import = fopen ("contacts_load/" . $fileName,"r")) {

and: 

unlink("contacts_load/" . $fileName);

The problem is in contacts_load/.

Below you are going to find some information about this:

Description: Allowing user input to control paths used in filesystem operations could enable an attacker to access or modify otherwise protected system resources.

Specific Scenario:

Path manipulation errors occur when the following two conditions are met:

  1. An attacker can specify a path used in an operation on the filesystem.

  2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

How can i prevent the path manipulation for this specific scenario?

Improve this question
5
  • Where does $fileName come from? Commented Dec 9, 2014 at 20:52
  • From here: $fileName = Date("YmdHis")."_".$_FILES["file"]["name"]; but the issue is in the path (contacts_load/). Commented Dec 9, 2014 at 20:53
  • 1
    $_FILES["file"]["name"] already contains the basename of the filename provided in the request. Commented Dec 9, 2014 at 20:55
  • 1
    The issue is with $_FILES["file"]["tmp_name"]. It's user supplied and is a path/file. Commented Dec 9, 2014 at 21:00
  • You are right, i was confuse, the issue is with the filename, because the attacker could provide a file name such as "../../tomcat/conf/server.xml" and cause a problem in the file system. Commented Dec 9, 2014 at 21:03

2 Answers 2

Reset to default
1

There is no problem with contacts_load/. The user cannot modify it.

I do recommend you sanitize $_FILES["file"]["name"] though. This answer should be helpful.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

The issue is in the file path, not in the filename.
@JuanSedano The user cannot control it. What concerns do you have?
You are right, i was confuse, the issue is with the filename, because the attacker could provide a file name such as "../../tomcat/conf/server.xml" and cause a problem in the file system.
1

.htaccess file?

# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
  Order allow,deny
</FilesMatch>

# Don't show directory listings for URLs which map to a directory.
Options -Indexes
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.