Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New to the CF scene
    Join Date
    Feb 2005
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Help: directory browse script (security)

    I haven't found a good directory browse script that will browse through a folder and all of its subfolders, but NOT to any folders that are above it, all using a single page that makes calls back to itself. The idea is to have a single page that can be dropped into any folder and that will return folder listings for all folders under it but nothing above it. Actually, I don't know if it's possible to securely do this...but here's my attempt. Nearly all of the code that performs the actual operation comes from this MS KB article:
    http://support.microsoft.com/kb/q224364/

    You can see that code in action here:
    http://www.ie.usf.edu/dev/dirbrowse/

    I've modified the code to accept a query string that is passed back to the script if a folder is selected from the listing. Then, it will take that new folder's path and enumerate all of the subfolders and files under that directory.

    For example, take a look at the "dirbrowse" page I posted above. If I wanted to view the folder "testfolder," the script would be called as http://www.ie.usf.edu/dev/dirbrowse/...der=newfolder/

    The script would then list all of the subfolders/files under /dev/dirbrowse/newfolder/.

    The problem is this: if you pass a ../ to the script at the end of the querystring, it will move up a directory. For example, passing default.asp?folder=newfolder/../ will actually not change directories. If you pass default.asp?folder=newfolder/../../ then the new directory listing will be from /dev/. Passing default.asp?folder=newfolder/../../../ would get you a listing from the root of the entire website.

    The real issue is that it will continue to move up folders until you get directory listings from the root of the drive. Then you see Inetpub, System Information, and the Recycle Bin (I've got InetPub on a separate disk from the OS, so you don't see any "critical" items, but this is a huge risk nonetheless).

    Here's a link to the code...obviously I can't include a working model as this is a security issue, but you can try it out on your own server if you'd like:

    http://www.ie.usf.edu/dev/dirbrowse/default.txt

    Please help Any ideas on this? I don't want to enable directory browsing...that defeats the whole purpose and is rather insecure itself.

    Thanks!

    Travis
    Last edited by MrFreeze; 02-04-2005 at 03:51 PM.

  • #2
    Regular Coder
    Join Date
    Aug 2002
    Location
    USA
    Posts
    478
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Maybe this will give some ideas:

    Using the FileSystemObject for Web Site Maintenance, Part 2 - 9/14/1999
    http://www.4guysfromrolla.com/webtech/091499-1.shtml
    J. Paul Schmidt
    www.Bullschmidt.com - Freelance Web and Database Developer
    www.Bullschmidt.com/DevTip.asp - Classic ASP Design Tips

  • #3
    Senior Coder
    Join Date
    Apr 2003
    Location
    England
    Posts
    1,192
    Thanks
    5
    Thanked 13 Times in 13 Posts
    the answer to this is incredibly simple (provided you arent letting people make their own)

    you can just
    Code:
    strPath = Replace(Request.QueryString("Folder"), "..", ".")
    where before it would have been
    strPath = Request.QueryString("Folder")

    you could use server settings and permissions to disallow linking up directiories (this disables <!--#include file="../blah.inc" --> but im not sure about FSO)

    its easier to just remove ..s from the path but this will not work on every script on the server

  • #4
    New to the CF scene
    Join Date
    Feb 2005
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for the responses!

    Bullschmidt:
    The FSO article at 4G is pretty good. I might end up using that for an additional part of this little project...possibly doing some sort of full-site tree browser, a la Explorer.

    ghell:

    Good points. I've got a lot of code that currently uses .., so I don't want to disable it yet (although I intend to remove it soon). Aren't SSI a separate issue from ..s, or did you meant that if I have SSI using .., then disabling them would disable the SSI?

    I was hoping for a more "secure" solution, but I ended up doing close to what you mentioned...here's the pertinent code:
    Code:
    	dim folder
    	folder = ""
    	folder = Trim(Request("folder"))
    	
    	' get the current folder URL path
    	strTemp =  Mid(Request.ServerVariables("URL"),2)
    	strPath = ""
       
    	Do While Instr(strTemp,"/")
    	  strPath = strPath & Left(strTemp,Instr(strTemp,"/"))
    	  strTemp = Mid(strTemp,Instr(strTemp,"/")+1)
    	Loop
    
    	strPath = "/" & strPath
    	
    	if folder <> "" And Instr(folder, "..") <= 0 And Instr(folder, strPath) then
    	' folder is calling for a listing of its files
    		strPath = folder
    	end if
    I think you can tell what it does by the var names, but it basically gets the current path of the script file, checks to make sure that the querystring doesn't contain .. (which, by the way, also grabs it if the user tries the ASCII value of period) and that the script folder path is contained in the querystring (keeps the user from going up the directory tree), and allows it through. otherwise, they are given the listing from the folder where the script resides.

    If anyone is interested in the script, I'll post the code and/or put it up for viewing.

    Thanks for the help,

    Travis

  • #5
    Senior Coder
    Join Date
    Apr 2003
    Location
    England
    Posts
    1,192
    Thanks
    5
    Thanked 13 Times in 13 Posts
    im not sure but i think you want to check instr for < 0 rather than <= 0

    i think this would still return 0:

    InStr("../somedir/page.asp", "..")

    if its not in there i think its always -1

  • #6
    New to the CF scene
    Join Date
    Feb 2005
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    ghell,

    I could be off base on this as well, but I think it works (basically) like this: If it's not found, it returns 0, but if it's found then it returns the pos in str1 where the string starts.

    Here's a link that describes the return values for Instr:
    http://msdn.microsoft.com/library/de...vsfctinstr.asp

    Travis


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •