Are path traversals attacks possible with invalid directories between?

Question

Let's say I can control the variable $path and the full path is generated as follows:

$full_path = "./valid_dir/docs/" . trim($path) ;
readfile($full_path) ;

where docs a non existent dir in the path.

Is it still possible ,with some trick perhaps to ignore docs, to perform a path traversal attack ?

Alexander O'Mara · Accepted Answer · 2016-06-01T00:42:46.980

1

Is it still possible ,with some trick perhaps to ignore docs, to perform a path traversal attack ?

Yes, it's pretty simple, just use ../ and it will be normalized before the file is opened (on *nix systems anyway, I don't know for sure on Windows).

Something like this would work.

$path = '../test.txt';
$full_path = "./valid_dir/docs/" . trim($path);
readfile($full_path);

edited Jun 01 '16 at 00:42

answered May 31 '16 at 23:16

Alexander O'Mara

8,774
6
34
38

Thanks for the answer. I've found the issue. I tried to put the case as simplified as possible and omited an if with file_exists(). readfile() does normalize but file_exists() does not :s – Jun 01 '16 at 00:53

Are path traversals attacks possible with invalid directories between?

1 Answers1