[kwlug-disc] Identify this exploit?

[Mikalai Birukou]

## non-specific comment/rumble

Is it called in general a "directory traversal" bug?

I wanted to say that it is a PHP trouble (laughs), and then I thought 
for a second:

- 7 months ago confluence (Java) had this style of bug. My confluence 
server was hacked.

- A month go, when writing my own thing (NodeJS), I was thinking about 
containing path at app level. Like any human I do mistakes.

- Is any listening service runs as root without dropping privileges for 
request serving processes?

It is not just PHP. It's Unix problem. In general any process can name 
any object in systems whole root. Unis doesn't have true POLA. Ideal 
solution is in the future where everything runs as WASI with admin 
specified allowed capabilities.

But today, the only action that I can take is to put that confluence 
server in LXC container. Container that doesn't have non-system users in 
/etc/passwd , cause there is nothing else in confluence LXC, not even jira.

How can I be sure that a human developer asked himself a question about 
directory traversal, added code that isn't related to business logic, 
and tested it in an adversarial approach? How can I be sure that usual 
management will green light and pay for aforementioned steps, if young 
developer identifies them? I can't be sure. I have to jail and separate 
things from each other.

LXC all linux things!


On 2019-12-28 1:49 a.m., Paul Nijjar via kwlug-disc wrote:
> In my Apache logs I saw something like this, and my search-engine
> skills are weak:
>
> 133.18.209.124 - - [27/Dec/2019:04:09:39 -0500] "GET /download.php?file=../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
>
> It's pretty obvious what they are trying to do, but I am having
> trouble figuring out what the target is, exactly. Is this an exploit
> in a popular web package I should know about?
>
> - Paul