Directory traversal prevention

I was recently reviewing a case study about a company that was targeted and compromised with a directory traversal exploit. A directory traversal exploit allows an attacker to access unauthorized directories on a system. This is normally the result of sloppy programming that lacks input validation.

In this particular case, the attacker was able to use the “GET” command to access root level files in the directory. The lack of input validation allowed the attacker to combine the “GET” command, with arbitrary strings that allowed access to the application files. Basically, they then had access to configuration files on a backend application where authorization was clearly only supposed to be granted to administrators.

To prevent the compromise of this system, security managers should’ve ensured that their server validated input, thus, preventing arbitrary input that allowed the directory traversal. In addition, there was a patch for this vulnerability that was released six months prior. By not having an efficient patch management program in place when vulnerabilities are found, organizations may patch or become aware when it’s too late. Therefore, security bulletins from vendors and organizations such as CERT should be read and applied when relevant.