Good idea vs bad execution
A new penetration testing project is finished and we found a wunderfull vulnerability. So, let’s start to understand, what we found.
First, the idea of the webdeveloper was brilliant. Think about the problem what you’ll have, if you write in some framework a image manipulation tool. You have the controller, some other parts in the url and will give the script a path to convert the images.
The good idea
So for better understanding, look at this url:
Now, you’ll have a problem if the path includes folders.
The path to /upload/holiday/123.jpg will destroy the concept of the converter, becuase the url look like this:
You see, it would throw errors every time and now the coder do something like this:
The bad execution
I think it is a good idea to beware the concept of the converter. But not if you will throwback the decoded path in an error-message, just because the script doesn’t find the file.
Realy no good idea to do something like this. Let’s take a look.
The File 'base64_encode(path)' doesn't exist.
So… Please, if you use base64_encoding, check every output and make sure, there is no path traversal in your code ;).
Handmade since day 1.