Web Server Folder Directory Traversal Vulnerabilities

This vulnerability is referred to as the "Web Server Folder Directory Traversal" vulnerability. This vulnerability has characteristics similar to vulnerabilities that have been widely exploited in the past. Unless remedial action is taken, we believe it is likely that systems with this vulnerability will be compromised.

By design, most severs will restrict access to files on the server to only those files in the web folder(s). This includes attempts to access files through a relative reference such as

http://www.example.org/data/../../../winnt/file.dat Attempts to access a file in this manner should fail.

Furthermore, an attempt to execute a file contained in a directory not marked as executable should fail. For example,

http://www.example.org/data/prog.exe

will attempt to download the file prog.exe to the web browser rather than executing it on the server. However, an administrator can permit the execution of files on the server by marking their parent directory as executable. Web servers include a set of default directories in the web folder, including a scripts directory, which are executable by default. Therefore, by default, a reference to

http://www.example.org/scripts/prog.exe

will cause the server to attempt to execute prog.exe. For the same reason that an attempt to read file.dat through a relative reference will fail as shown above, an attempt to execute prog2.exe via a relative reference will fail as well. That is, a reference to

http://www.example.org/data/../../../winnt/prog2.exe

will neither download prog2.exe nor attempt to execute it.

When a server fails to perform as described above, we referred to it as having a "Web Server Folder Directory Traversal" vulnerability. This vulnerability has characteristics similar to vulnerabilities that have been widely exploited in the past. Unless remedial action is taken, we believe it is likely that systems with this vulnerability will be compromised.

If an intruder encodes the relative reference to prog2.exe using ../ or certain unicode characters, some servers fail to prevent access to it. If the relative reference is relative to a directory marked as executable, the reference will result in an attempt to execute the file. For example, by default, a reference to

http://www.example.org/scripts/../../../winnt/prog2.exe

will cause IIS to attempt to execute prog2.exe if the reference is encoded using certain unicode characters (not shown above). Other references can be constructed to simply attempt to read files; such references do not need to be relative to a directory marked as executable.

Whether or not an attempt to read or execute a file will succeed depends on the access permissions the server has with respect to that file. For the purposes of reading and executing files, servers generally run with the permissions of the <INSERT ACCOUNT> account.

As a general practice, and to mitigate against this vulnerability if you are unable to install a patch, use file permissions to restrict the user account that the server runs under so that it can only access files contained in the web server. Additionally, because relative references to files cannot cross volume boundaries, you may wish to configure your server such that the web folder is on a separate volume. That is, keep the web data on the D: drive and everything else on the C: drive. However, note that this provides only very limited protection and can be circumvented by an intruder.

Last updated July 2, 2007