stop non-existant directory traversal

Forum Moderators: phranque

Message Too Old, No Replies

stop non-existant directory traversal

apach directory traversal

Guardian2006

4:14 pm on Jan 28, 2006 (gmt 0)

I have just discovered some weird behaviour on my server where apache is allowing traversal of none existant public directories.
For example, if I create a hosting account with the domain www.example.com and place in it an index.php file (no other files or direcotires) I can type into the browser
www.example.com/index.php/index.php
www.example.com/////////
www.example.com/anything-you-like/index.php
www.example.com/anything/index.php/anything/index.php

All these url's (and many more) get processed by the browser as a valid url - one would expect a 404 error!

On site using PHP scripts, if I type in a nonsense url it get processed and then when I click a link one the page it appends the link url to the nonsense url
example.comindex.php/////////
example.com//////////test.php

Does anyone know why this happens?
Is there a temp fix I can try in htaccess to prevent this?

extras

4:44 pm on Jan 28, 2006 (gmt 0)

This is normal.

/ or /////// is treated equally by the OS.

Also, the part after index.php (or any .php, .cgi) isn't used as a path.

Some people uses this instead of RewriteRule to create "Short URL".

You can detect these and send them to 404 with RewriteRule.
But I don't think it's worth bothering.

jdMorgan

5:15 pm on Jan 28, 2006 (gmt 0)

This URL is the only one that should not work. As long as /anything-you-like/ does not contain a period or question mark, this URL should not resolve:

www.example.com/anything-you-like/index.php

If /anything-you-like/ does contain a period or question mark, then it will resolve, just as extras has stated.

Ref: RFC2396 - Uniform Resource Identifiers (URI): Generic Syntax [faqs.org]

Jim