[kwlug-disc] Identify this exploit?

John Van Ostrand john at vanostrand.com
Sat Dec 28 11:14:09 EST 2019


I think you can also be exposed if you horribly misconfigure your web
server to allow access to those directories and files.

On Sat, Dec 28, 2019 at 10:06 AM Mikalai Birukou via kwlug-disc <
kwlug-disc at kwlug.org> wrote:

> Yes, this dot operator is not sanitizing paths.
>
> Is this a "let's try" automated trawling of web? I wonder, what region is
> request IP from.
> On 2019-12-28 10:00 a.m., Mikalai Birukou via kwlug-disc wrote:
>
> I've duckduckgo-ed GET /download.php?file=../.
>
> This shows up
> https://www.tutorialrepublic.com/php-tutorial/php-file-download.php
>
> There is download.php example file in it with
>
> ```
>
>     $file = urldecode($_REQUEST["file"]); // Decode URL-encoded string
>     $filepath = "images/" . $file;
>
> ```
>
> PHP isn't my language, but nothing here jumps out, saying sanitize path.
>
> How many people can use this example to add a download functionality to
> whatever app/site. StackOverflow style programming?
>
> May be its a good idea to search system for download.php?
>
>
> On 2019-12-28 1:49 a.m., Paul Nijjar via kwlug-disc wrote:
>
> In my Apache logs I saw something like this, and my search-engine
> skills are weak:
>
> 133.18.209.124 - - [27/Dec/2019:04:09:39 -0500] "GET /download.php?file=../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
>
> It's pretty obvious what they are trying to do, but I am having
> trouble figuring out what the target is, exactly. Is this an exploit
> in a popular web package I should know about?
>
> - Paul
>
>
> _______________________________________________
> kwlug-disc mailing listkwlug-disc at kwlug.orghttp://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
> --
> Mikalai Birukou
> CEO | 3NSoft Inc.
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>


-- 
John Van Ostrand
At large on sabbatical
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20191228/2d3ac668/attachment.htm>


More information about the kwlug-disc mailing list