Path Injection

What is path injection?

Path injection is an attack on websites which exploits the way in which many websites access various resources. There are many occasions on which a website may need to refer to a (local or remote) file or resource by a path (either a filesystem path or a URL path). The website may create the path on-the-fly, using user-input. If this input is not adequately validated path injection may be possible. This can lead to, among other things, complete compromise of the website.

What makes a site vulnerable?

Sites may be vulnerable to path injection if they use user-influenced input in the construction of paths used to access local or remote resources. The attacker may modify this input and thereby modify the path. This potentially allows the attacker to change the resource which is accessed. In such cases, the attacker may be able to gain access not normally permitted to users.

Directory traversal

Directory traversal is a special case of path injection. It involves modifying the path to reference directories other than the ones intended by the website designers. Typically the ../ character sequence is injected. This sequence refers to the parent of the current directory. This can allow an attacker to potentially access files in directories closer to the website or web server root directories. Alternatively, the attacker can inject specific directory names and delve deeper into the website and access parts of it which may not usually be accessible. Ultimately directory traversal can allow the attacker to reference and potentially access files anywhere on the web server.

Poison Null Byte

An interesting opportunity for attackers engaged in path injection lies with the use of the poison null byte character (%00 in HTML encoding). Some websites will try to prevent path injection by appending a 'safe' file extension onto the end of any path created. For example, if you append .html to the path, the theory goes, the user will only be able to access .html files, leaving all your other files out of reach. However, this is not always the case. The poison null character is interpreted as an end of string character by C/C++ in which many web programming languages are written, but not by these web languages, such as php, which treat the poison null character as part of a string rather than the end. When it is used in a path, the web language will view the path as a filename which just happens to have a null byte before the file extension. However, when this path is passed to the underlying C/C++ code, the path will now be viewed as ending at the injected null byte and the added file extension will be lost. Because of this the attacker will be able to manipulate files of any type.

Other path injection tricks

Apache's mod_mime will match on any extension while trying to identify the type of a file. It will use last extension if valid, but, e.g., test.php.pppdf would be interpreted as a php file. This gives a way to bypass filters which exclude files ending in ".php".

Example of path injection

Suppose your website needs to create text files based on the user’s input. It may use code such as that shown in this php path injection example:

index.php:

$fh = fopen('files/'.$user.'/'.$_POST['filename'].'.html', 'w');
fwrite($fh, $_POST['content']);

To create a legitimate file in his directory a user would fill out a form specifying the filename (e.g. 'myfirstpage') and the content (e.g. 'This is my first page').

An attacker on the other hand could seize the opportunity to cause some real damage. The attacker could instead set the filename as '../../index.php%00'. Through a combination of directory traversals and a poison null character, the attacker would be able to overwrite the main page of the website with content of his choosing. As well as being able to take complete control over the website, the attacker may be able to gain control of the server too.

Impact of the attack

In a path injection attack the attacker exploits this process to change the path in unexpected ways. This can allow the attacker to access resources other than those intended. It may also give the attacker a way to access those resources in ways not possible by other means. Path injection can lead to information disclosure, misuse of resources, destruction of information, website backdooring, and more.

Preventing path injection

To prevent path injection attacks it is necessary to ensure that the attacker cannot modify the path in any undesirable way. The best way is to ensure that all possible paths are enumerated and that user input is used only to select between these possibilities. Sometimes this will not be practical as all possible paths may not be known. In such cases it will be necessary to determine a general formula describing these paths (e.g. all files in the template directory which consist only of lower-case letters followed by a .tmpl extension). Once such a formula is generated, all input which would cause the path to violate the formula should be rejected. Note that care must be taken when generating the formula. For example, it shouldn’t be possible for any user input containing the sequence ../ to create a valid path unless the user is to be allowed to traverse arbitrary directories.