Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Prevent directory browsing outside of webroot on server?

Author
Message
Phaelax
DBPro Master
20
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 12th May 2017 01:46
Working on a file browser but need it to scan server side, not on the client side.

Essentially, what I need is this:
<input id="files" type="file" accept="video/*" multiple><br>

But lists server side files. Using PHP's scandir I noticed one thing that bothers me, it lists everything back to the root of the server, not just the web directory! I've searched around the net but couldn't find a reason for this. The root folder is "nas/web", that's where it displays the default index file. So as far as I understand, that should be the root container as far as php is concerned. Why am I able to list files way above that directory? Is this an Apache issue? This is the web server built in with my qnap nas.

"I like offending people, because I think people who get offended should be offended." - Linus Torvalds
Phaelax
DBPro Master
20
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 12th May 2017 03:07
So it looks like it scans directories as far back as the server root rather than stopping at the document root like I expected.

"I like offending people, because I think people who get offended should be offended." - Linus Torvalds
BatVink
Moderator
20
Years of Service
User Offline
Joined: 4th Apr 2003
Location: Gods own County, UK
Posted: 12th May 2017 07:45
Restrict it with your .htaccess file?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Quidquid latine dictum sit, altum sonatur
TutCity is being rebuilt
PAGAN_old
18
Years of Service
User Offline
Joined: 28th Jan 2006
Location: Capital of the Evil Empire
Posted: 9th Jun 2017 21:18
I use some smartass FTP restricted use type thing. (dont ask my friend dug this method up somewhere and the creation involves making an FTP User, then chrooting him onto some isolated jail i think (We use Free BSD) and setting some sketchy restriction... yeah directory restriction something... configurations on this FTPuser, deleting his home folder, and letting him out and giving the access to whoever you want to have the access to their web folder but no deeper.

Here is the dudes Manyal if you want to check it out but its in russian and i dont feel like translating it.

http://sbin.su/?tag=ftp

Ive been using this method for everyone who i want to keep outside of root and its rock solid.

I mean the page is in russian but you can still read the configs and translate the general gist of things from Free BSD to whatever you are Using.
Your signature has been erased by a mod
Phaelax
DBPro Master
20
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 9th Jun 2017 23:37
That looks like it restricts access to an FTP user rather than the PHP server. And htaccess wouldn't work because the PHP processor wouldn't go through the apache server for access to the file system, at least I don't think it would. Since I had to write my own file browser anyway (because existing ones search the client not the server), I simply prevent the user from being able to go any higher in the directory tree. Basically, if the requested path does not include the document root, deny it.

"I like offending people, because I think people who get offended should be offended." - Linus Torvalds
PAGAN_old
18
Years of Service
User Offline
Joined: 28th Jan 2006
Location: Capital of the Evil Empire
Posted: 10th Jun 2017 03:18
Well i still keep my PHP off unless i need it because, Like you said Concern about script kiddies breaking in. But youre what concerned about the browser seeing into the root? What kind of brouser is it, Anything like CoreFTP or Filezilla? Because .... wait a sec. I think i did this differently.... (for a second i thought that my Master FTP user can see all the way into root but ...hold on lemmie check ..... heh it cant get past the folder with all the websitws. but thats because i restricted myself too. ... I honestley dont remember what i did and if this was before the FTP users or not but i DO remember that the first time i set it up, i could also see root.
Your signature has been erased by a mod
Phaelax
DBPro Master
20
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 12th Jun 2017 16:18
I'm not accessing the files over ftp. I built a file browser using scandir(), which returns the file structure as the php server sees it directly and doesn't go through Apache first.

The site will ultimately be run locally on a network, but I wanted the extra security so I can demo it publicly.

"I like offending people, because I think people who get offended should be offended." - Linus Torvalds
PAGAN_old
18
Years of Service
User Offline
Joined: 28th Jan 2006
Location: Capital of the Evil Empire
Posted: 27th Jun 2017 07:54
heh... well in that case i wouldnt know... Your thing sounds cool tho
Your signature has been erased by a mod

Login to post a reply

Server time is: 2024-03-29 00:12:07
Your offset time is: 2024-03-29 00:12:07