Help: directory browse script (security)

I haven't found a good directory browse script that will browse through a folder and all of its subfolders, but NOT to any folders that are above it, all using a single page that makes calls back to itself. The idea is to have a single page that can be dropped into any folder and that will return folder listings for all folders under it but nothing above it. Actually, I don't know if it's possible to securely do this...but here's my attempt. Nearly all of the code that performs the actual operation comes from this MS KB article:
http://support.microsoft.com/kb/q224364/

You can see that code in action here:
http://www.ie.usf.edu/dev/dirbrowse/

I've modified the code to accept a query string that is passed back to the script if a folder is selected from the listing. Then, it will take that new folder's path and enumerate all of the subfolders and files under that directory.

For example, take a look at the "dirbrowse" page I posted above. If I wanted to view the folder "testfolder," the script would be called as http://www.ie.usf.edu/dev/dirbrowse/default.asp?folder=newfolder/

The script would then list all of the subfolders/files under /dev/dirbrowse/newfolder/.

The problem is this: if you pass a ../ to the script at the end of the querystring, it will move up a directory. For example, passing default.asp?folder=newfolder/../ will actually not change directories. If you pass default.asp?folder=newfolder/../../ then the new directory listing will be from /dev/. Passing default.asp?folder=newfolder/../../../ would get you a listing from the root of the entire website.

The real issue is that it will continue to move up folders until you get directory listings from the root of the drive. Then you see Inetpub, System Information, and the Recycle Bin (I've got InetPub on a separate disk from the OS, so you don't see any "critical" items, but this is a huge risk nonetheless).

Here's a link to the code...obviously I can't include a working model as this is a security issue, but you can try it out on your own server if you'd like:

http://www.ie.usf.edu/dev/dirbrowse/default.txt

Please help :confused: Any ideas on this? I don't want to enable directory browsing...that defeats the whole purpose and is rather insecure itself.

Thanks!

Travis

Maybe this will give some ideas:

Using the FileSystemObject for Web Site Maintenance, Part 2 - 9/14/1999
http://www.4guysfromrolla.com/webtech/091499-1.shtml

the answer to this is incredibly simple (provided you arent letting people make their own)

you can juststrPath = Replace(Request.QueryString("Folder"), "..", ".")where before it would have been
strPath = Request.QueryString("Folder")

you could use server settings and permissions to disallow linking up directiories (this disables <!--#include file="../blah.inc" --> but im not sure about FSO)

its easier to just remove ..s from the path but this will not work on every script on the server

Thanks for the responses!

Bullschmidt:
The FSO article at 4G is pretty good. I might end up using that for an additional part of this little project...possibly doing some sort of full-site tree browser, a la Explorer.

ghell:

Good points. I've got a lot of code that currently uses .., so I don't want to disable it yet (although I intend to remove it soon). Aren't SSI a separate issue from ..s, or did you meant that if I have SSI using .., then disabling them would disable the SSI?

I was hoping for a more "secure" solution, but I ended up doing close to what you mentioned...here's the pertinent code:

dim folder
folder = ""
folder = Trim(Request("folder"))

' get the current folder URL path
strTemp = Mid(Request.ServerVariables("URL"),2)
strPath = ""

Do While Instr(strTemp,"/")
strPath = strPath & Left(strTemp,Instr(strTemp,"/"))
strTemp = Mid(strTemp,Instr(strTemp,"/")+1)
Loop

strPath = "/" & strPath

if folder <> "" And Instr(folder, "..") <= 0 And Instr(folder, strPath) then
' folder is calling for a listing of its files
strPath = folder
end if


I think you can tell what it does by the var names, but it basically gets the current path of the script file, checks to make sure that the querystring doesn't contain .. (which, by the way, also grabs it if the user tries the ASCII value of period) and that the script folder path is contained in the querystring (keeps the user from going up the directory tree), and allows it through. otherwise, they are given the listing from the folder where the script resides.

If anyone is interested in the script, I'll post the code and/or put it up for viewing.

Thanks for the help,

Travis

im not sure but i think you want to check instr for < 0 rather than <= 0

i think this would still return 0:

InStr("../somedir/page.asp", "..")

if its not in there i think its always -1

ghell,

I could be off base on this as well, but I think it works (basically) like this: If it's not found, it returns 0, but if it's found then it returns the pos in str1 where the string starts.

Here's a link that describes the return values for Instr:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/vsfctinstr.asp

Travis