Questions tagged [path-injection]

28 questions
93
votes
8 answers

Can secret GET requests be brute forced?

Say, I have on my server a page or folder which I want to be secret. example.com/fdsafdsafdsfdsfdsafdrewrew.html or example.com/fdsafdsafdsfdsfdsafdrewrewaa34532543432/admin/index.html If the secret part of the path is quite long, can I assume…
Kargari
  • 911
  • 1
  • 6
  • 5
14
votes
2 answers

Path traversal filter bypass techniques?

I have a Linux-based embedded system with web-interface for management purposes. According to one security paper, this web-server has rudimentary filter against directory traversal attacks in URL parameters. So in order to bypass the "../" filter,…
Martin
  • 361
  • 2
  • 8
  • 16
9
votes
2 answers

Are there any sequences other than ../ which will be intepreted as directory traversal in *nix or Windows?

A common vulnerability is for web applications to accept a filesystem path as a request parameter, and then perform some action on the specified path. For example, retrieving a file and returning it to the user, or perhaps even writing/deleting a…
alexw
  • 1,289
  • 2
  • 9
  • 13
7
votes
2 answers

How do you exploit Directory Traversal to traverse from one drive/share to another?

I'm trying to figure out if it is possible to traverse across drives or shares. If I have a path that is concatenated in a web application, where the prefix is a drive, such as this: var path = "D:\" + Request.Params["directory"]; Is it possible…
7
votes
2 answers

Do sudo and .profile/.bashrc enable trivial privilege escalation?

First of all, let me mention that I’m assuming a configuration as set up by current Linux desktop distributions (e. g. Debian, Fedora). I’m sure that there are methods which, if implemented, would mitigate the issues described here. What I’m…
Socob
  • 215
  • 1
  • 5
5
votes
2 answers

Any vulnerabilities in allowing users to choose path of S3 file?

I'm building a web app that uses S3. In some of our operations, we're creating a file on S3 with a path that's directly dependent on user input, so an attacker might cause a file to be created on S3 with whichever path he wants. Is there a way for…
Ram Rachum
  • 1,998
  • 2
  • 17
  • 20
4
votes
1 answer

strstr and fopen, is there a bypass?

I have a binary that does this: if (strstr(USERCONTROLLERSTRING, "..")) exit; fopen(CurrentPath+"\\Data\\"+USERCONTROLLEDSTRING, "r"); then spits out all the content of the file. Is there any obvious vulnerability here? Its a Windows service, it…
3
votes
1 answer

How to protect the code of Windows applications against path traversal?

I'm writing a simple HTTP server in Lua and while I can easily find resources on how to secure against Unix directory traversal, I already found some caveats in the Windows version. While I'm already looking for C:\ at the beginning (C being "any…
d33tah
  • 6,524
  • 8
  • 38
  • 60
3
votes
1 answer

What attacks use enabled Apache's PATH_INFO?

In Tangled Web Michal Zalewski says: If you are not using path-based parameter passing (such as PATH_INFO), consider disabling this feature. He gave only one example of this vulnerability. There HTTP response of downloaded file contained…
Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
2
votes
3 answers

sql injection, exec and preg_replace filter

Ive been informed this is not safe to use in regards to sql injection: preg_replace("/[\"'%()@$.!&?_: #\/-]/","", mysql_real_escape_string($_GET['var'])); what would be the difference in the following…
quick_learner42
  • 123
  • 1
  • 4
2
votes
1 answer

Using this path traversal security issue

I used zap to scan one of my websites and found a path traversal issue. These are the informations: Attack: c:/ URL: www.example.com/example.php Parameter: mail I am now tinkering around in the browser and in CMD with curl and try to get access…
Roman
  • 157
  • 8
2
votes
1 answer

Sanitising a file/folder path from user input

I have an external server make backups of my main server via scp and a backup-only user account. I successfully restricted it to scp only using GNU Rush. The scp command below executed on the backup server downloads /var/www/website1/file2 from the…
mehov
  • 421
  • 4
  • 9
2
votes
1 answer

What are the dangers of extending my PATH?

Are there any dangers of extending my PATH, say by adding /Users/me/bin?
gen
  • 1,660
  • 2
  • 18
  • 18
1
vote
2 answers

Is string concatenation vulnerable to null character in aspx?

I just see this line of code in VB in one file .aspx FileUpload.SaveAs(sPath & "/" & FileUpload.FileName) This line save a file that an user uploaded. It use the SaveAs method. I was worried about the sPath because the user can edit it. The user…
Rodrigo
  • 317
  • 1
  • 3
  • 13
1
vote
3 answers

How to exploit this include_once vulnerability in PHP?

I'm performing a static analysis on a PHP code and came across this situation: include_once SYSTEM_PATH . 'languages/content-' . $_COOKIE ['lang'] . '.php'; If I try to hack with this HTTP request: GET /en-us HTTP/1.1 Host: xxxx.com User-Agent:…
jyz
  • 113
  • 1
  • 6
1
2