apachesecuritydirectory-traversalfile-inclusion

How do I access the parent directory of public_html in Apache?


I remember reading a while ago how it's possible for someone to access your computers filesystem from the website. I want to know how to do it, so I can test and prevent it from happening.

Running Apache 2.4 on Windows via XAMPP

My virtualhost is set up like so:

<VirtualHost *:80>
    ServerName local.scrap
    DocumentRoot "D:/Dropbox/www/scrap/public_html/"
    <Directory "D:/Dropbox/www/scrap/">
    Order allow,deny
    Allow from all
    Require all granted
    </Directory>
    ErrorLog "D:/Dropbox/www/scrap/logs/error.log"
</VirtualHost>

There is an index2.html in scrap/ and index.html in scrap/public_html/

hosts is set up to be 127.0.0.1 local.scrap

If I type the URL http://local.scrap/ I get index.html. If I type the URL http://local.scrap/../index2.html it gets redirected to http://local.scrap/index2.html

Why is the ../ URL getting redirected to the DocumentRoot path?


Solution

  • Often times a non-malicious user-agent will resolve ../ in the URL before it ever contacts the server. But even without that, webservers are designe to not allow that kind of directory traversal outside of context roots.

    You'd need to test with telnet/netcat/s_client to be sure.