[n00b] mod_rewrite to prevent directory traversal attacks

onceagainloap · April 15, 2012, 1:39pm

Hi there!
I am totally new to the security field.
I have a simple php script that tracks my users activities:

$ref=$_SERVER['HTTP_REFERER'];
$ip=$_SERVER['REMOTE_ADDR'];
$page=$_SERVER['REQUEST_URI'];
include("etc/config.mysql.php");
$conn_visits=mysql_connect($mysql_hostname,$mysql_username,$mysql_password) or die (mysql_error());
mysql_select_db($mysql_db) or die (mysql_error());
mysql_query("INSERT INTO `visits` (`id` ,`ip` ,`session`, `page`,`referer` ,`date`) VALUES ( '' , '$ip', '$sid','$page','$ref',  CURRENT_TIMESTAMP)") or die (mysql_error());
mysql_close($conn_visits) or die (mysql_error());

I noticed that an user tried to load this page: /index.php?dir=…/…/…/…/…/…/…/…/…/…/…/…/…//proc/self/environ%0000

2012-04-15 07:34:26 103.29.196.12 c4ca4bf185f588f6b739952f4f6d15e9  /blog/2012/03/16/index.php?dir=../../../../../../../../../../../../..//proc/self/environ%0000
2012-04-15 07:34:22 103.29.196.12 b302b847e98edd619b0fd520b95ce69a  /index.php?dir=../../../../../../../../../../../../..//proc/self/environ%0000

By googling I realised it was an attempt to view private sys informations, called “directory traversal attack”.

My question is, can I prevent this by setting a mod_rewrite instruction to redirect to a given URL all URLs containing “…/…/”?
Thank you

o.

logic_earth · April 15, 2012, 7:08pm

Actually what you should do is make sure that “?dir=…/…/…/…/…/…/…/…/…/…/…/…/…//proc/self/environ00” didn’t work. Most likely it was just an automated bot probing your server. Doing some funky mod_rewrite stuff is not necessary.

Btw…you could dump the whole “track” user thing. The Web server should already be configured to log every single request for you. It is a lot more efficient letting the web server then constantly opening and closing a connection to the database.

onceagainloap · April 15, 2012, 9:23pm

Thank you for reply, logic_earth.

The /proc/self/environ doesn’t work, I checked by myself, maybe the mod_rewrite thing could be a “general” solution for that attack, but I repeat, I am totally new with these things, so my question is still active.

The point of php script is: the hosting service (~15$/year) doesn’t show me apache logs and the site itself has poor traffic (5/10 users per day); I use that script mostly to check social networks and sites my users come from; keywords etc are tracked with google webmaster’s tools

dklynn · May 13, 2012, 2:57am

oal,

Are you using Magic Quotes? Are they enabled (see your phpinfo() printout)? If they are, disable them ASAP!

Other than that, l_e’s statement that $dir is doing nothing is valid so you can consider this to be a clumsy hack-attack by a “script kiddie.”

Once you’re past that, consider yourself lucky as you’ve opened yourself to SQL-injection attacks by not using the mysqli_real_escape_string on the values obtained as input (okay, I believe it’s just the HTTP_REFERER in this case) which can be modified by the visitor to change the mysqli_query string to get sensitive data from the MySQL server. In other words, please read the first few posts of the Sticky on resources 'cause your PHP is simply NOT secure.

Regards,

DK

onceagainloap · May 14, 2012, 9:49am

Ok, thank you very much, nice to learn something new!

oal