Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Is there a method to forbid an attacker to exploit download.php
in grabbing some "sensitive" file ?

I mean using that kind of trick


thanks you

Re: securing

Frank Mutze wrote:
Quoted text here. Click to load it

1. Validate the path and filename being downloaded
2. Don't run the webserver as root
3. Let Unix security help you.

Or, better yet - don't let them input the filename being downloaded.  Rather,  
give them a list of files and let them select.  But don't give them the  
filenames themselves - just descriptions.  Look up the filenames when they  
select which file they want to download.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Re: securing

On Wed, 29 Mar 2006 11:31:46 +0200, Frank Mutze wrote:

Quoted text here. Click to load it

Use to convert it to a normal path and then use
one of the many string comparing functions to check it's within your
acceptable path.



Andy Jeffries MBCS CITP ZCE   | gPHPEdit Lead Developer | PHP editor for Gnome 2 | Personal site and photos

Re: securing

Quoted text here. Click to load it

Jerry already suggested a good way, but you can also try it with a checksum  
to see that you did generate the filename by recalculating the check.

Say you'r filename is 'validfile.pdf'. You calculate a checksum for it, for  
example by prepending a static password and md5'ing it.

$filename = 'validafile.pdf';
$checksum = md5($filename.'supercalifragislisticexpialidocious');

Then echo the link:


In download.php before outputting the file, you recalculate the checksum the  
same way and compare it to given checksum
if($_GET[checksum] ==  
 if they match, it was indeed a link you generated and a file you generated,  
but if it was changed to something like  
filename=../../../../../../../../../../../../etc/passwd then the checksums  
do not match (or at least the possibility of a false file name matching is  
near to non-existing)

I used a scrambler 'supercalifragislisticexpialidocious' here, because  
simply md5'ing the filename can be reproduced, but by adding the secret  
scrambling key you also ensure that a hacker doesn't outsmart you by also  
md5'ing his filename. Without the correct scrambling key the md5 will be  
different, and since it's one-way function, you can not reproduce the  
scrambling key from the md5 hash.

They way Jerry suggested is easier, but this is another way to achieve it.

"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirvi | Gedoon-S @ IRCnet | rot13(xvzzb@bhgbyrzcv.arg)  

Re: securing

Quoted text here. Click to load it

The easiest way is to remove any path elements that navigate up the  
directory structure:

$path=str_replace("../", "", $path);

that would at least keep it within your documentroot.  Comparing the  
realpath() is the most secure, however.


Site Timeline