../../../test is giving 404 file or folder not found error

Question

0.00/5 (No votes)

See more:

I have an ASP.NET MVC application hosted in web server with URL http://10.26.14.99/projectA i.e. environment1 and same application is hosted in another web server with URL https://projectA.test.com i.e. environment2.

Now, for environment1 when I enter http://10.26.14.99/projectA/../../../../test it is showing the URL as http://10.26.14.99/test with 404 "File or Folder not found" error but at the same time for environment2 when if i enter https://projectA.test.com/../../../../test then it is showing the URL as https://projectA.test.com/test and it also takes me to the login page which is expected.

Can anyone please tell me what need to be done in environment1 to get the same expected result as the environment2?

What I have tried:

1. I tried the config changes like rewrite, httperrors to handle 403 error and custom errors to handle other errors.
2. I also tried by creating handler for pattern "*../*" to raise error if URL contains "../" but this also didn't worked.

I think it is not even hitting my application codebase in case of environment1.

Posted 17-Oct-17 20:17pm

Navin Ranjan

Updated 17-Oct-17 20:34pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2017-10-17T20:34:00

Solution 1

What did you expect?

http://10.26.14.99/projectA/../../../../test

In a path, ".." is a relative folder specifier: it says "folder above".
So you are asking for

root / projectA / folder above (giving root) / folder above root / folder above that / folder above that / test

You cannot use a relative specifier to go above the root folder!
So you get a 404, correctly.

Posted 17-Oct-17 20:34pm

OriginalGriff

Comments

Navin Ranjan 18-Oct-17 3:08am

This is an application security check where user can enter anything in the URL. This is a type of security threat called directory traversal attack.
I am not expecting but i can't stop user to enter ../../ in the url.
So, what i an trying to achieve here is that if user enters the ../ in the url then it should either redirect to the custom error page or redirect to the login page.

Navin Ranjan 18-Oct-17 3:47am

When i enter "http://10.26.14.99/projectA/../../../../test" in the url it is redirecting to "http://10.26.14.99/test" which means it is looking for file or folder with name test in 10.26.14.99 which doesn't exist, so getting the 404 error. I dont want the 404 error, i want to show the custom error page or redirect user to the login page. Is there a way to do that?