Breaking File Security: A Directory Traversal Found Through Source Code Review

amitkh

While performing a security assessment on a web-based security panel plugin, I was going through different features one by one, nothing fancy just normal exploration.
One thing that caught my attention was the file editor inside the scanner module.

Whenever I come across:
File Editors
File uploads
or anything related to file paths

I will slow down and start testing more carefully.

Because from experience these areas often hide interesting bugs.

The application allows users to open and edit files directly from the UI.
When I opened a file, I intercepted the request in Burp and saw something like this:

GET /<SESSION>/index.php?act=domain&iframe&ajax=1&script=scanner/editor.php&filepath=domain/dashboard.php

application loading the file using the parameter filepath

i took little time and thought what if the application is trusting this parameter too much?

so i just tried to access the etc/passwd normally its wont worked as the etc passwd is not exist in the current directory but when i just modified my payload like ../../../../../../../../../../etc/passwd and there is the etc passwd file in output

When I reviewed the backend logic, it was something like this:

$filepath = $_GET['filepath'] ?? $_POST['filepath'] ?? '';

if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    echo file_get_contents($filepath);
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $content = $_POST['filecontents'] ?? '';
    file_put_contents($filepath, $content);
}

At first glance, this looks simple and harmless.

but there is the issue

as application directly accessing the file from the user input there is no validation no check to ensure does user access any critical file nothing

Because of this, an attacker can:
Access unintended files inside the application
Read sensitive configuration or source code
Potentially escalate the attack further

POC
Step 1 : Login to the application
Step 2 : Open file editor
Step 3 : Intercept request in Burp
Modify filepath to

GET /<SESSION>/index.php?act=cpguard&iframe&ajax=1&script=scanner/editor.php&filepath=../../../../../../../../../../etc/passwd

Access unintended files

How It Was Fixed

To fix this issue, the following changes were implemented:
Restrict file access to a specific base directory
Validate file paths using realpath()
Ensure the resolved path stays inside allowed directory
Block traversal patterns and unexpected inputs
After applying these fixes, all traversal attempts were successfully blocked.

Fix Example

 $baseDir = realpath(__DIR__ . '/allowed_files');

$inputPath = $_GET['filepath'] ?? '';
$inputPath = ltrim($inputPath, '/\\');

 $fullPath = $baseDir . DIRECTORY_SEPARATOR . $inputPath;
 $realPath = realpath($fullPath);

if ($realPath === false || strpos($realPath, $baseDir) !== 0) {
   die("Access denied");
 }
 
 echo file_get_contents($realPath);