Risks

If an attacker discovers a directory traversal vulnerability, it is only a matter of time before they compromise your system. An experienced attacker will have seen a similar technology stack, and will have a playbook of things to try next.

If your site is indexed on Google, and you have URLs that pass file names in the query string, you are likely advertising a potential vulnerability to attackers. Hackers often use search engines to locate likely targets, and will search for tell-tale URLs. Try searching Google for site:<yourdomain.com> inurl:file= to see if any results get returned!

Prevention

Use a Content Management System

If your site handles a lot of documents, chances are the workflows around uploading, indexing, publishing, and replacing documents will be quite involved. You may have non-technical users acting as administrators. If this is the case, look into using a third-party content management system, which are designed for exactly these cases.

A modern CMS will protect against directory traversal.

Use Indirection

If a content-management system proves too heavyweight as a solution, consider using indirection to label your files. Each time a file is uploaded, construct a “friendly” name for this on your site, and when the file is accessed, perform a lookup in your data-store to discover the actual file path.

This approach effectively white-lists valid names, and avoids the fragility of passing around raw file paths.

Segregate Your Documents

Hosting documents on a separate file-server or file partition, or in cloud storage, is a good idea too. This will allow you to prevent mixing public documents and more sensitive material.

Sanitize Filename Parameters

If you insist on using raw file names, you need to sanitize the file names coming in from HTTP requests. Initially, this would seem to be simply a matter of checking for “back-tracking” paths starting with ../.

In actual fact, it is a lot more complex than that. For example, Unix file systems interpret paths starting ~/ as relative to the home directory. It is even easier to construct a lot of ambiguous paths in Windows. Moreover, depending on how URLs are encoded, it is possible to obscure malicious paths. See here for a list of exploits people have found.

The safest approach is to restrict filenames to a list of known good characters, and ensure that any references to files use only those characters.

Run with Restricted Permissions

It is a good practice to run your server processes with only the permissions that they require to function – the principle of least privilege. This can help limit the impact of vulnerabilities as a second line of defense.

Make sure the server process can only access the directories it needs. Consider running the process in a chroot jail if you are running on Unix. This will mitigate the risks if a directory traversal vulnerability is discovered.