• Directory Traversal 的安全威脅與防護

    這篇文章主要講解 Directory Traversal 的威脅

    與每一種程式語言的安全防護方式

    Directory Traversal 弱點網站範例

    這些範例都有些共同的特徵, 就是用檔名來存取特定網頁

    因此駭客就可以嘗試輸入不同的檔名或是改變檔案路徑來存取其他網站伺服器上的資源

    http://example.com.br/get-files.jsp?file=report.pdf
    
    http://example.com.br/get-page.php?home=aaa.html
    
    http://example.com.br/some-page.asp?page=index.html

    Directory Traversal 攻擊範例1

    http://example.com.br/get-files?file=../../../../somedir/somefile
    
    http://example.com.br/../../../../etc/shadow
    
    http://example.com.br/get-files?file=../../../../etc/passwd

    Directory Traversal 攻擊範例2

    下列這些範例都是透過路徑的修改, 來達到存取其他檔案資源

    CWE-24: Path Traversal: ‘../filedir’
    CWE-25: Path Traversal: ‘/../filedir’
    CWE-26: Path Traversal: ‘/dir/../filename’
    CWE-27: Path Traversal: ‘dir/../../filename’
    CWE-28: Path Traversal: ‘..\filedir’
    CWE-29: Path Traversal: ‘\..\filename’
    CWE-30: Path Traversal: ‘\dir\..\filename’
    CWE-31: Path Traversal: ‘dir\..\..\filename’
    CWE-32: Path Traversal: ‘…’ (Triple Dot)
    CWE-33: Path Traversal: ‘….’ (Multiple Dot)
    CWE-34: Path Traversal: ‘….//’
    CWE-35: Path Traversal: ‘…/…//’
    CWE-36: Absolute Path Traversal
    CWE-37: Path Traversal: ‘/absolute/pathname/here’
    CWE-38: Path Traversal: ‘\absolute\pathname\here’
    CWE-39: Path Traversal: ‘C:dirname’
    CWE-40: Path Traversal: ‘\\UNC\share\name\’ (Windows UNC Share)
    CWE-41: Improper Resolution of Path Equivalence
    CWE-42: Path Equivalence: ‘filename.’ (Trailing Dot)
    CWE-43: Path Equivalence: ‘filename….’ (Multiple Trailing Dot)
    CWE-44: Path Equivalence: ‘file.name’ (Internal Dot)
    CWE-45: Path Equivalence: ‘file…name’ (Multiple Internal Dot)
    CWE-46: Path Equivalence: ‘filename ‘ (Trailing Space)
    CWE-47: Path Equivalence: ‘ filename’ (Leading Space)
    CWE-48: Path Equivalence: ‘file name’ (Internal Whitespace)
    CWE-49: Path Equivalence: ‘filename/’ (Trailing Slash)
    CWE-50: Path Equivalence: ‘//multiple/leading/slash’
    CWE-51: Path Equivalence: ‘/multiple//internal/slash’
    CWE-52: Path Equivalence: ‘/multiple/trailing/slash//’
    CWE-53: Path Equivalence: ‘\multiple\\internal\backslash’
    CWE-54: Path Equivalence: ‘filedir\’ (Trailing Backslash)
    CWE-55: Path Equivalence: ‘/./’ (Single Dot Directory)
    CWE-56: Path Equivalence: ‘filedir*’ (Wildcard)

    程式語言防護方式

    因此,  要對於使用者輸入的路徑與檔案名稱加以驗證與限制

    每一種程式語言都提供 API 可以對於路徑加以過濾, 就可以簡單地透過這些方法

    將路徑做合法性的過濾, 列舉如下:

    • realpath() in C
    • getCanonicalPath() in Java
    • GetFullPath() in ASP.NET
    • realpath() or abs_path() in Perl
    • realpath() in PHP