What is Path Traversal?

Path Traversal, also known as Directory Traversal, is a type of security vulnerability that allows attackers to access files or directories outside the intended folder. In other words, an attacker tricks your website into opening files they should not have access to, such as system files, configuration files, or even user data.

Imagine you have a PHP script that lets users download images from your server. If the script takes the file name directly from user input without checking it, someone might try something like this:

http://example.com/download.php?file=../../../../etc/passwd

This request uses ../ (dot-dot-slash) to move up the directory tree and access critical system files like /etc/passwd (on Linux servers).

Why is Path Traversal Dangerous?

• Data Theft: Attackers can access sensitive files like database configurations, passwords, or API keys.
• System Control: In some cases, they can read files that help them gain full control of your server.
• Privacy Breach: User data stored on your server may be exposed.

A single vulnerability like this can compromise your entire application.

How Does Path Traversal Happen in PHP?

This issue usually occurs when developers use user input directly in file functions without proper validation. For example:

<?php
$file = $_GET['file']; 
include("uploads/" . $file);
?>

If the $file parameter is not validated, an attacker can exploit it by passing something like ../../secret/config.php to access files outside the uploads directory.

How to Prevent Path Traversal in PHP?

1. Validate User Input: Always check and filter the input from users. If the file must be an image, verify the file type and extension before using it.
2. Use Whitelists: Instead of allowing any file name, create a list of allowed files and check if the requested file exists in that list.
3. Real Path Checking: Use realpath() to ensure the file path stays within the intended directory.
4. Disable Directory Browsing: Prevent users from seeing which files exist in your server directories.
5. Use Secure Functions: Avoid using direct include or require with user input.

Example of safer code:

<?php
$allowed_files = ['image1.jpg', 'image2.jpg'];
$file = $_GET['file'];

if (in_array($file, $allowed_files)) {
    include("uploads/" . $file);
} else {
    echo "Invalid file.";
}
?>

Final Thoughts

Path Traversal in PHP is a serious security issue but also one of the easiest to avoid if you follow best practices. As a developer, always treat user input as untrusted, validate everything, and never allow direct access to files. Securing your PHP applications from such vulnerabilities not only protects your website but also builds trust with your users.