By tricking a web server into exposing otherwise restricted information, attackers can gain a powerful tool to compromise a system and cause significant damage. Directory traversal is a common method used to achieve this. An attempt to navigate outside the areas of the filesystem reserved for a particular website can lead to data theft and arbitrary code execution.
Typically, web servers restrict access to the file system by confining a website’s files inside its root directory, also known as the document root folder. However, cybercriminals can circumvent these security controls and exploit insecure file permissions. This way, they can gain unauthorized access to critical information stored elsewhere on the victim’s server.
File inclusion vulnerabilities, regularly identified in plugins and themes, make WordPress websites a high-priority target for attacks involving directory traversal. And while implementing secure coding practices is a task for plugin and theme developers, implementing good security practices is the responsibility of website owners.
In this guide to directory traversal, we will explore this common method hackers employ to break out of the website’s root directory to access restricted data. You will learn how path traversal enables attackers to successfully exploit local file inclusion (LFI) vulnerabilities to inflict damage and how to safeguard your WordPress website against these types of attacks by implementing robust security practices.
First, let’s look closer at the concepts of secure server operations. More specifically, how different types of data are separated in the server environment and what place website data has in this ecosystem.
How Data Partitioning Helps Secure Server Operations
Websites and web applications rely on servers to store their data. This data is then processed by web and database servers and other specific applications before being delivered to visitors’ browsers over the internet as requested web pages. Underlying hardware and software components work together to create a robust infrastructure that powers this functionality.
However, this client-server architecture also requires a mindful approach to server security. Critical services and other components of the server’s operating system must be fully separated from user files and website data. This separation of data on the file system is commonly known as data partitioning.
Data partitioning helps secure the most vulnerable aspects of server operations by segregating different types of data into separate partitions. The implementation of file system partitioning and other security mechanisms helps protect servers from unauthorized access to sensitive information and system-level compromises. Additionally, data partitioning enables efficient resource management and enhances server performance by separating frequently modified data from predominantly read-only files and isolating system and user data.
Web Server Access Control: Confining Website Data with Document Roots
To isolate website data from system data, web servers utilize the concept of document roots. This involves restricting website files to a designated directory on the file system, known as the root directory of a website. By defining the document root, the web server can correctly direct and respond to incoming requests for that website’s content. This root directory is the starting point for handling web requests for that website.
This confinement helps prevent unauthorized access to critical server data, such as operating system information and key configuration files, stored outside of the designated root directory. This means that any scripts or other content and functionality related to a particular website can only access and modify data within the root directory and its subdirectories, which protects the rest of the server in the event of a security breach.
In addition to document roots, web servers make use of other access control mechanisms to further restrict access to website data. One of the most notable mechanisms are file permissions. File permissions help enforce the principle of least privilege, which means that system users or processes are granted only the minimum level of access required to perform their intended functions.
Despite the robust security of this approach, hackers can employ a number of malicious techniques to bypass it. One such method is directory traversal. Directory traversal attacks exploit the weaknesses in website code and the implementation of secure permissions to trick the web server into revealing restricted information that would otherwise be inaccessible from the browser.
What is Directory Traversal?
Directory traversal, also known as path traversal, is a malicious technique aimed at granting access to restricted files and directories outside of the document root of the targeted website or web application. Path traversal allows the attacker to navigate through the server’s file system all the way to the root directory and other restricted folders through the browser – the type of behavior that should not be possible under normal circumstances.
Directory traversal is performed by manipulating the variables that reference files with the use of special characters, known as path traversal sequences. Sequences such as dot-dot-slash ‘../’ get interpreted by the web server, forcing it to move one directory up in the file system hierarchy, moving away from the website’s document root.
If a website is stored in /home/user/public_html, supplying a directory traversal sequence of ‘../../../etc’ will allow the attacker to navigate to the /etc directory, which stores critical system configuration on Linux servers.
If directory listing is disabled in the web server configuration, the cybercriminal won’t be able to view the contents of the requested directory. This can partially increase the security of the system and limit the potential damage inflicted by directory traversal attacks since the attacker will have to specify the exact file they want to display in the browser. But as most of the time, hackers know exactly what information they are looking for, disabling directory listing won’t prevent them from accessing it.
The /etc/passwd file is one of the common targets of directory traversal attacks. On Linux servers, the /etc/passwd file contains the list of users created on the server. This can give hackers a good starting point for brute force attacks on the users’ credentials. As /etc/passwd has file permissions of 644, which means it is readable to all users on the system, including the user the web server runs as. This way, the web server can render the contents of the file through the browser.
How Does Directory Traversal Work?
As a malicious technique, directory traversal is rarely used as the sole means of getting access to sensitive information on victims’ servers. First, attackers need to find a way to exploit a vulnerability on the targeted website to find a way to make it display the requested information in the browser. Only then is directory traversal used to navigate through the victim’s server’s file system to reach restricted directories.
File inclusion vulnerabilities are what enable the use of directory traversal. Directory traversal vulnerability occurs when a website does not properly sanitize user input, such as file paths supplied using dynamic file inclusion. A combination of local file inclusion (LFI) and directory traversal vulnerabilities present allow hackers to access data outside of the targeted website’s document root, revealing sensitive server information.
An Example of Directory Traversal
To get a better understanding of how local file inclusion and directory traversal vulnerabilities can be exploited, let’s take a look at the following example. This example is a simplified representation of how directory traversal is used via a file inclusion flaw.
A web developer adds a web page content.php that will be used to allow the website to load different pages or components dynamically based on the user’s request. For example, if a website visitor wants to view the “Contact Us” page, their request might be shown in the browser address bar as “https://website.com/content.php?page=contact_us“.
The content.php page would use the local file inclusion technique to reference the file that corresponds to the “contact_us” parameter, which could contain the PHP and HTML code for the requested “Contact Us” page. In this example, the content.php web page acts as a controller, which loads the appropriate file that generates the content dynamically based on the user’s input.
However, if the user’s input is not properly validated or sanitized, file inclusion and directory traversal vulnerabilities can be exploited by attackers to include arbitrary files, which would be then displayed in the browser.
For example, a hacker can pass “../../../../../var/log/apache2/access.log” as the value of the page query parameter – a series of directory traversal sequences followed by the address of the Apache web server’s main access log in the file system. This way, the attacker can view the contents of the log file, which contains sensitive information such as IP addresses, user agent strings, and URLs requested by website visitors.
How File Permissions Can Facilitate or Mitigate Directory Traversal
File permissions play a huge role in ensuring server and website security. By limiting access to the file to just particular system users and groups, permissions can help facilitate or mitigate directory traversal.
In a file inclusion attack using directory traversal, the contents of the file requested by the attacker would only be displayed in the browser if its file permissions allow the system using the web server runs as to read it. While some restricted files such as /etc/password have permissions of 644, which make them readable to all system users, other files remain only accessible to the root user.
The /etc/shadow file, which contains encrypted passwords for all users on a Linux server, has file permissions of 640, which makes it inaccessible to any users other than root. This makes it impossible for hackers to access the file through the browser via directory traversal.
How to Detect Directory Traversal Vulnerabilities on Your WordPress Site?
WordPress core maintains a high level of security and is fully protected from file inclusion vulnerabilities and directory traversal. However, the high customization options the platform offers raise the possibility of those vulnerabilities being present on a WordPress site. Even the most reputable WordPress plugins and themes can contain security flaws that are regularly discovered.
iThemes weekly WordPress vulnerability reports help you rapidly identify and patch newly disclosed vulnerabilities in WordPress plugins and themes, including directory traversal. Simply check the vulnerability reports to see if any security weaknesses have recently been found in the plugins you use on your WordPress site, as well as your active theme, and see if a patch has been released.
iThemes Security Pro can automate the process of scanning your WordPress website for vulnerabilities and rapidly patch the identified flaws on your behalf. iThemes Security Pro will conduct advanced vulnerability scanning twice a day, email you if any vulnerabilities are detected, and automatically install an update if a security fix is available.
How to Defend Against Directory Traversal?
Exploiting vulnerabilities found in plugins and themes is one of the biggest attack vectors that hackers use to gain unauthorized access, steal sensitive data, and upload malware, including backdoor shells, to WordPress websites. And while following secure coding practices falls into the scope of responsibilities of plugin and theme developers, WordPress website owners are responsible for implementing protective measures locally. Only a multifaceted approach to WordPress security can help reduce the risk of falling victim to modern sophisticated cyber attacks.
Keep all Software Updated
Keeping WordPress core, active plugins, and the chosen theme updated to the latest version available is the first step towards eliminating directory traversal and other severe application-level vulnerabilities. As new security flaws are identified in the software powering your WordPress site, it’s of utmost importance to install security patches as soon as they become available. Before the discovered vulnerability is addressed by the plugin or theme developer, the affected piece of software can be disabled to reduce the attack surface.
Keeping track of plugin and theme updates can be a challenging task, but with iThemes Security Pro, website owners can have access to a comprehensive solution that simplifies the process and helps ensure websites remain up-to-date and protected against security vulnerabilities. The Version Management feature offers automatic software updates to safeguard your WordPress site.
Configure Secure File Permissions
Secure WordPress file permissions provide an additional layer of defense against attacks aimed at getting access to sensitive website and server information. And although you rarely need to change file permissions of critical system configuration files and other restricted server data, the responsibility of setting up secure permissions for website files often falls on the website owner.
Keeping critical WordPress information such as the wp-config.php file can help effectively prevent cross-account compromises through symbolic links of file inclusion attacks exploiting directory traversal vulnerabilities. File permissions checks in iThemes Security Pro help website owners ensure this critical security mechanism is correctly implemented on their WordPress sites.
Implement a Web Application Firewall
Firewalls work by filtering out malicious web requests that match known patterns or exhibit anomalous patterns before they are passed to the web server. As a robust first line of defense against a vast array of bot-driven cyber attacks, such as denial of service (Dos) and distributed denial of service (DDoS), and data injection attacks such as cross-site scripting (XSS) and SQL injections (SQLi).
Implementing a web application firewall (WAF) or a combination of a host-based and cloud-based intrusion prevention solution can significantly reduce the possibility of a successful break-in attempt. Acting as a second layer of defense against file inclusion and directory traversal vulnerabilities, web application firewalls ensure that hackers can exploit any security weaknesses found in unpatched versions of plugins and themes.
With IThemes Security Pro, brute force protection and built-in bot management solutions help stop bad bots and filter out malicious web requests from reaching your website. With an addition of multi-factor authentication powered by passkeys with biometric logins, this comprehensive security suite offers a multifaceted approach to defending your website against various types of security threats.
Secure Your WordPress Website With iThemes Security Pro
File inclusion and directory traversal vulnerabilities pose a significant threat to website security, as they are frequently exploited by hackers looking to gain unauthorized access to sensitive data or execute malicious code on the victim’s server. Using directory traversal sequences and supplying a vulnerable website with the path to certain data, an attacker can trick the web server into exposing otherwise restricted server and website information.
Despite being widely studied and recognized, directory traversal remains a major concern for WordPress websites that rely on outdated software and lack proper security measures. Performing timely WordPress core, theme, and plugin updates, configuring secure file permissions, and implementing a web application firewall can significantly reduce the risk of your website being susceptible to file inclusion attacks leveraging directory traversal.
iThemes Security Pro can help you defend your WordPress website against a vast array of cyber threats by offering a comprehensive, multifaceted approach to website security. With advanced vulnerability scanning, automatic software updates, and powerful bot management solutions built-in, iThemes Security Pro acts as your personal security advisor, keeping your WordPress website safe and secure at all times.
The Best WordPress Security Plugin to Secure & Protect WordPress
WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
Kiki has a bachelor’s degree in information systems management and more than two years of experience in Linux and WordPress. She currently works as a security specialist for Liquid Web and Nexcess. Before that, Kiki was part of the Liquid Web Managed Hosting support team where she helped hundreds of WordPress website owners and learned what technical issues they often encounter. Her passion for writing allows her to share her knowledge and experience to help people. Apart from tech, Kiki enjoys learning about space and listening to true crime podcasts.