Please note these forums are mostly a testing ground for my SMF work and I don't really use them otherwise.

Main Menu

Programing secure directory reading scripts

Started by SleePy, Jun 26, 2008, 07:43 PM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.


This has to be one of the funnest things I like to do.
Reading a directory in PHP is very simple, infact if you are using PHP 5 you can just use the scandir function and get the array it returns.
It is just as easy to use a $_GET or $_REQUEST to change the directory you are reading...

But what is going to stop somebody from doing some very clever hacking here and get to areas you don't want to allow them in?
The one thing you should know about hackors, is if its not easy to do or will waste to much time. They will most likely give up and go to somebody else who isn't as secure. There are some who if they are specifically attempting to attack you will waste that time.

Well while programing two different scripts recently I came across two methods I like nicely.

The first one is simple actually, Just base64 encode the relative path (ie /forum/index.php) and use that as part of the url.
Then in your script to view directories, you have that base64 value in a array of allowed strings. This is a simple method.
But what if I wanted to be dynamic?

Well I had to do this for another script I wrote and I thought hard about this and beheld a really simple, yet complex idea.
The first thing I did was treat each folder change as a new item in an array. So it was like dir[]=forum dir[]=Themes.
This was the simple part. I then throw out any bad ones such as people wanting to use any periods in the directory or slashes (This was it simply but I used a complex regex to match other things as well).
I didn't want to the array to be in plain text in the url. So I did something very simple and encoded the url using base64. While anyone code decode it, it added a layer and made it so that the single string going in had to be base64 encoded.

Now that I had things in check, I could manipulate it. I could easily drop the last item in the array off for somebody to go back a directory or add a new item to change to a new directory.

You may ask, why is it worth it? Well now that I knew exactly where my users where going, I could easily even block off certain folders. Such as a "Sources" folder that had "Forum" as its part array item. This was the fun part, I could do anything I wanted and block off only certain sections as well as string of words. So I could really give somebody access to see all a files in a directory without comprising my security.

Well I still wanted to take it to another level, just because I was in the mood for it. So I added two salts onto the url that gets passed to the user. The nice thing about it is in one of the salts is needed otherwise the script won't let you continue. It is a matching and nicely mixed into the array to make sure those who want to try and change the url, will need to do some work.
Now for the second salt I went into this with a little fun, I made it so this salt contains a encrypted one way string of the current directory they where viewing. This uses a few encryption methods and I won't disclose all of those as there is many out there such as sha1, sha256, md5, md4, etc all for usage and I did a combination of some of those and others in a mixture. So it would take a haxor a while to figure this out and get the pattern right that I was using..
With that in mind, I decided to make it randomly change those based on your session id. So if you get a new session it would add a key to it. This key itself is just a code that tells it which method of encryption it should be using. So yes I know have taken it to the next level by making sure those who want to figure it out may be spending hours to get things right and all the possible combination's it may have (I use a separate file that figures out which method I was using and either makes the match or kicks them as invalid, just so I didn't dirty up my code with all the possibilities and using a function is nicer :P )

So I had fun doing this and could even take more steps, but it works as I wanted it to and to let you know, this was just to view directories, I did let them view certain files and images, which took another step of work for me to do but it was worth it for the fact I know that those who attempt to exploit such things will most likely give up and go try somebody else who might not have been using as good security.

Thats all for this blog.
No siggy! :D