My website shows some files based on the get value in the URL. For example http://www.mysit.com/navigate.php?d=firstpage.html The thing is navigate.php knows which folder to look in and it's not in the web root directory. Are there any precautions I should take? For example what effect does . or .. have on a URL? If an attacker entered http://www.mysit.com/navigate.php?d=../topsecret could they gain unauthorized access?
What precaustions should be taken when the file displayed by a webpage is specified by the GET value
Asked
Active
Viewed 119 times
3
Celeritas
- 10,039
- 22
- 77
- 144
2 Answers
4
You should be sure to put additional filtering on it to make sure it doesn't try things like that. Personally, at a minimum, I would attempt to parse and reform the input and make sure that no operations like directory changes can occur.
A better option would be to store the filenames in a DB and pass in a simple token that could be used to look up the filename to use. This could then be filtered for any input that doesn't fit what is needed for your tokens. It also could allow your site to work without having to update the GET information unless you specifically want that for linking functionality.
AJ Henderson
- 41,816
- 5
- 63
- 110
-
I'm open to any ideas so let's talk about the database. Are you saying to make a database so that when the value for GET is `abc` (i.e. `navigate.php?d=abc`) the database would map `abc` to `firstpage.html`? Or would it make more sense to have stored in the database a list of viewable pages and if the GET value (i.e. `firstpage.html`) isn't on the list the page is not displayed? – Celeritas May 08 '13 at 20:33
-
Either one is really a simple viable option and will be a better starting point. The big trick is that if you open up more complex input, the escaping you need to do to prevent SQL injection becomes more complex. Note that this also would let you start doing interesting things like specifying which pages are public vs private and could be expanded to support a login pretty easily. (You just add a check of the permissions before PHP loads the page's contents.) If you wanted, you could even store the contents of the page in the DB, but that's getting more in to web design than security. – AJ Henderson May 08 '13 at 20:54
-
@Celeritas it's very good that you are seeking to make sure you do things securely early on though. It will be a great service to you as you develop your skills. – AJ Henderson May 08 '13 at 20:56
1
To answer you question, it all depends on how your site treats the input parameter. If, like mentioned, it is possible to change the directory using the input, then yes.
GET params just end up as strings when it gets to the php; You are not sending it special commands like you would in a command line interface (unless it is coded that way in the php).
Hintron
- 111
- 2