guff

Quick and dirty security

Checking the date on my last guff entry shows I’ve been AWOL for nearly a month. To the uninitiated: I do that from time to time. No apologies. The reason for posting now is that over a 14 hour span (of which 6 were spent asleep), I went through two security updates to my plugin-related script, Quick & Dirty PHPSource Printer (or as I refer to it in my overly-complicated little head, Q&DPHPSP). It’s possible I could push out a third before the day is out, if I’m still missing something. And on this, I really don’t want to be missing something.

It began after 11pm Sunday when I checked my email and saw a message from one Seth Alan Woolley. Don’t know him–or at least I don’t recognize his name. During the months I’ve been hanging around the WordPress support fora, it’s not unusual to receive email with unfamiliar monikers in the header. 99 times out a 100 these turn out to be requests for help on some problem, or to expand on a solution I’ve posted, or…well, try to imagine. These I tend to drop into my email ‘slush’ pile that 99 times out of a 100 I get around to answering, but just not RIGHT NOW. However, Seth’s email stood out a bit due to the subject line: directory traversal for Quick & Dirty Source PHP Source Printer. Not how I expect an email asking for help to read. There are two areas in the act of code writing that really really annoy me personally: 1. I make the same error in coding logic over and over again, refusing to see it until it hits me in the face with a frying pan, and 2. I perform a major blunder due to my own lack of knowledge, or perhaps failing in the due diligence of testing a feature or component of my work. In regards to the topic of Seth’s email to me, a glance at the subject line told me there’d be a decent helping of both portions to be found.

As noted, Q&DPHPSP is a script. And as one might deduce from the name, it’s job is to display the source of PHP files, with syntax highlighting. Though designed with WordPress plugins in mind, you can submit any filename through the script’s “file” query and have its innards output to the browser, all colorful (if there’s PHP code in it). Thing is, you probably don’t want to allow people to point Q&DPHPSP at just any file, like an “include” holding your SQL login and password, or the server’s passwd file. That wouldn’t be good, you’d probably tell me. And since I’d have to agree, I stuck code in limiting which directory is accessed; by default: wp-content/plugins/. That’s not enough, though. I can’t restrict what someone enters in a browser’s URL (location or address) field, which means you can provide more than a filename. For example, you could provide a (directory) path along with it. Well not just a path, since you’d rarely get lucky with wp-content/plugins/etc/passwd. Rather a path–or directory–traversal, like say ../../../do_not_read/this_file. That would take you three directories up and to this_file in the do_not_read/ directory. Traversed paths can be quite useful in relation to relative links to images or other material on a web page. But for the purposes of such as my script, they strike a big security bell.

So what to do? Well, all you need do is watch for attempts at path traversal, and “filter” them out before they can cause any harm. And that’s what I did with this line of code:

$file = str_replace('../', '', $file);

Looks good, eh? (Right now there’s a few readers shaking their heads. I won’t work for their willing suspension of disbelief on this story.) It compares the file’s name ($file) against “../“, and where it appears strips it out (replaces it with “”) and invalidates the path. I must have thought at the time that it was a simple solution to a very big problem.

If only…

Subject: directory traversal for Quick & Dirty Source PHP Source Printer
From: Seth Alan Woolley
Date: 7/3/2005 9:50 PM

kaf,

url?file=…/…//…/…//…/…//…/…//…/…//…/…//etc/passwd

…

Uh, oops. Yes, the above worked with Q&DPHPSP. And the moment I saw it the 180 my brain did in my skull hurt like you wouldn’t believe. So as I said, two security updates to the same script in less than one day. First attempt worked nominally, but turned out to be hiding an error brought to my attention by Chew Keong Tan at Secunia, a security services and advisory company. Didn’t I mention my little security bug is appearing on advisory lists? That’s what happens when you release your work to the wild. Anyway, it’s my first time… The second repair (putting Q&DPHPSP at R1.1.1) has been pounded on in a number of ways, and goes further in shoring up against path traversal attacks. Basically, don’t think about naming a file something like script[dot][dot]php (not that you would) if you want to use it with Q&DPHPSP. I’ve chosen paranoid over smart as the best method of protection.

On a side note, for those who happen to know about my outgoing mail problems for (apparently) the past month or more, it’s fixed. I’m again sending over my own stuff (i.e. szub.net). Thank the Illuminati for small favors.