5. File System Concept
File System Concept
The filesystem is the view of your disks as seen by your operating system.
For example: in a default install, Apache httpd resides at
o Unix Filesestem : /usr/local/apache2
o Windows filesystem "c:/Program Files/Apache Group/Apache2“ .
6. File System Concept
Filesystem Structure
Directory: same as windows directories
Filesystem: same as windows drives
Windows: C:, D:, …
Linux: /
7. File System Concept
Directory vs Filesystem
Directory: same as windows directories
Filesystem: same as windows drives
11. File System Concept
File Permissions
Note : The user is not the person who is logged into your application - that, and their role in the
application (admin, etc) is completely irrelevant to the scenario.
The user is the linux system user that the process runs under. The code of your website is run as
only one user - it may be the user of your webserver (which isn't really a good thing), or it may
be a user specific to your site (which is much better).
Permissions Users Example
Read: r
Write: w
Execute: x
User: u
Group: g
Other: o
u+w: User can write
g-x: Group can not
execute
o-r: Others can not
read
12. File System Concept
File Permissions
Numerical Representation Example
Read: r = 4
Write: w = 2
Execute: x = 1
4
2
1
rwx = 7
r-x = 5
r-- = 1
13. File System Concept
File Permissions
Permission 754 is: rwxr-xr--
Numerical Representation Numeric
User: can read, write and execute USER == > rwx=4+2+1=7
Group: can read and execute Group== > rwx=4+0+1=5
Others: just can read Others== > rwx=4+0+0=4
15. File System Concept
Webspace Concept
the webspace is the view of your site as delivered by the web server and
seen by the client.
So the path /dir/ in the webspace corresponds to the path
/usr/local/apache2/htdocs/dir/ in the filesystem of a default Apache
httpd install on Unix.
The webspace need not map directly to the filesystem, since webpages
may be generated dynamically from databases or other locations.
17. Path traversal & File Inclusion
File Upload
File upload helps in increasing your business efficiency.
File uploads are allowed in social network web applications, such as
Facebook and Twitter. They are also allowed in blogs, forums, e-banking
sites, YouTube and also in corporate support portals, to give the
opportunity to the end user to efficiently share files with corporate
employees.
The more functionality provided to the end user, the greater is the risk of
having a vulnerable web application
18. Path traversal & File Inclusion
File Upload
When PHP receives a POST request with encoding type multipart/form-data, it will create a temporary
file with a random name in a temp directory (e.g. /var/tmp/php6yXOVs). PhP will also populate the
global array $_FILES with the information about the uploaded file:
o $_FILES[‘uploadedfile’][‘name’]: The original name of the file on the client machine
o $_FILES[‘uploadedfile’][‘type’]: The mime type of the file
o $_FILES[‘uploadedfile’][‘size’]: The size of the file in bytes
o $_FILES[‘uploadedfile’][‘tmp_name’]: The temporary filename in which the uploaded file was
stored on the server.
19. Path traversal & File Inclusion
Why File Upload Forms are a Major Security Threat?
The first step in many attacks is to get some code to the system to be
attacked. Then the attack only needs to find a way to get the code
executed. Using a file upload helps the attacker accomplish the first step.
The consequences of unrestricted file upload can vary, including
complete system takeover, an overloaded file system, forwarding attacks
to backend systems, and simple defacement. It depends on :
o what the application does with the uploaded file
o including where it is stored
20. Path traversal & File Inclusion
Why File Upload Forms are a Major Security Threat?
There are really two different classes of problems in File upload forms:
File metadata(path , filename)
o The term metadata refers to "data about data".
o Example of threat :storing the file in a bad location.
File content
o The range of problems here depends entirely on what the file is used
for
22. Risk Factors
Risk Factors
The impact of this vulnerability is high but the likelihood is low. So, the
severity of this type of vulnerability is Medium.
The website can be defaced.
The web server can be compromised by uploading and executing a web-shell
which can:
o run a command
o browse the system files
o browse the local resources
o attack to other servers
23. Risk Factors
Risk Factors
An attacker might be able to put a phishing page into the website.
Local file inclusion vulnerabilities can be exploited by uploading a
malicious file into the server.
A malicious file can be uploaded on the server in order to have a chance
to be executed by administrator or webmaster later.
25. Weak Protection Methods
Weak Protection Methods
Using Black-List for Files’ Extensions
Using White-List for Files’ Extensions
Using “Content-Type” from the Header
Using a File Type Recogniser
26. Weak Protection Methods
Attacks on application platform
Upload .gif to be resized - image library flaw exploited
Upload huge files - file space denial of service
Upload file using malicious path or name - overwrite critical file
Upload file containing personal data - other users access it
Upload file containing "tags" - tags get executed as part of being
"included" in a web page
27. Weak Protection Methods
Using Black-List for Files’ Extensions
Bypass by changing some letters of extension to the capital form
(example: “file.aSp” or “file.PHp3”).
Using trailing spaces and/or dots at the end of the These spaces and/or
dots at the end of the filename will be removed when the file wants to be
saved on the hard disk automatically (example: “file.asp ... ... . . .. ..”,
“file.asp ”, or “file.asp.”).
A web-server may use the first extension after the first dot (“.”) in the file
name (example: “file.php.jpg”).
28. Weak Protection Methods
Using Black-List for Files’ Extensions
This protection can be completely bypassed by using the most famous
control character. (example: “file.asp%00.jpg”)
29. Weak Protection Methods
Using White-List for Files’ Extensions
Although using white-list is one of the recommendations, it is not enough
on its own. Without having input validation:
o A web-server may use the first extension after the first dot (“.”) in the
file name .(example: “file.php.jpg”).
o Using trailing spaces and/or dots at the end of the These spaces
and/or dots at the end of the filename will be removed when the file
wants to be saved on the hard disk automatically (example: “file.asp ...
... . . .. ..”, “file.asp ”, or “file.asp.”).
30. Weak Protection Methods
Using “Content-Type” from the Header
“Content-Type” entity in the header of the request indicates the Internet
media t
o It is possible to bypass this protection by changing this parameter in
the request header by using a local proxy.
31. Weak Protection Methods
Using a File Type Recogniser
use some functions (or APIs) to check the type of the file in order to do
further process. For instance, in case of having image resizing, it is
probable to have image type recogniser.
o Sometimes the recognisers just read the few first characters (or
header) of the files .(malicious code after some valid header)
o There are always some places in the structure of the files which are for
the comments section and have no effect on the main file. And, an
attacker can insert malicious codes in these points.
o
32. Weak Protection Methods
Prevention Methods : File Meta Data
It is necessary to have a list of only permitted extensions on the web
application. And, file extension should be selected from the list. Use your
extention instead user input extention of file.
34. Countermeasure
Prevention Methods : File Meta Data
All the control characters and Unicode ones should be removed from the
filenames.
Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,””, additional “.”,
“*”, “%”, “$”, and so on should be discarded as well
recommended to only accept (regular expression: [a-zA-Z0-9]{1,200}.[a-
zA-Z0-9]{1,10}).
Always Check both forward slashes and backslashes. May the file system
may support both.
36. Countermeasure
Prevention Methods : File Meta Data
Limit the filename length.
Try to use POST method instead of PUT (or GET!)
Prevent from overwriting a file in case of having the same hash for both.
Create a list of accepted mime-types (map extensions from these mime types).
Log users’ activities. However, the logging mechanism should be secured against log
forgery and code injection itself.
37. Countermeasure
Prevention Methods : File content
Use Cross Site Request Forgery protection methods.
Restrict small size files as they can lead to denial of service attacks.
Generate a random file name and add the previously generated extension.
Limit the file size to a maximum value in order to prevent denial of service attacks.
In case of having compressed file extract functions, contents of the compressed file
should be checked one by one as a new file.
38. Countermeasure
Prevention Methods : File content
use an algorithm to determine the filenames. For instance, a filename can be a MD5
hash of the name of file plus the date of the day.
Prevent from overwriting a file in case of having the same hash for both.
o PHP Function :
• hash_file : Generate a hash value using the contents of a given file
• sha1_file: Calculate the sha1 hash of a file
39. Countermeasure
Prevention Methods : File content
Uploaded directory should not have any “execute” permission.
If possible, upload the files in a directory outside the server root.
Prevent overwriting of existing files (to prevent the .htaccess overwrite attack).
Use an absolute path to point exactly where you want to store/retrieve the file from.
For downloads you will need to write a simple script which dumps the file to the
browser after doing some authentication checks.
40. Countermeasure
Prevention Methods : upload file Directory
Define a .htaccess file that will only allow access to files with allowed extensions.
o Config server to avoide owerriting .htaccess
o Do not place the .htaccess file in the same directory where the uploaded files will be
stored. It should be placed in the parent directory.
o A typical .htaccess which allows only gif, jpg, jpeg and png files should include the
following (adapt it for your own need). This will also prevent double extension attacks.
deny from all
<Files ~ "^w+.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>
41. Countermeasure
Prevention Methods : upload file Directory
Prevent from directory listting. If you create a new directory (or folder) on your website, and do not put
an "index.html" file in it, you may be surprised to find that your visitors can get a directory listing of all
the files in that folder.
For example, if you create a folder called "incoming", you can see everything in that directory simply by
typing "http://www.example.com/incoming/" in your browser. No password or anything is needed.
Add the following line to your .htaccess file. in this folder:
Options -Indexes
42. Countermeasure
Prevention Methods : PHP Functions
Use file_info
This extension is enabled by default as of PHP 5.3.0. Before this time, fileinfo was a PECL
extension but is no longer maintained there.
For instalation
o Windows users: just edit php.ini and uncomment this line:
extension=php_fileinfo.dll
43. Countermeasure
Prevention Methods : PHP Functions
Fileinfo Functions
o finfo_buffer — Return information about a string buffer
o finfo_close — Close fileinfo resource
finfo_file — Return information about a file
o finfo_open — Create a new fileinfo resource
o finfo_set_flags— Set libmagic configuration options
o mime_content_type — Detect MIME Content-type for a file (deprecated)