<div dir="ltr">I think you can also be exposed if you horribly misconfigure your web server to allow access to those directories and files.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Dec 28, 2019 at 10:06 AM Mikalai Birukou via kwlug-disc <<a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div>
    <p>Yes, this dot operator is not sanitizing paths.</p>
    <p>Is this a "let's try" automated trawling of web? I wonder, what
      region is request IP from.<br>
    </p>
    <div>On 2019-12-28 10:00 a.m., Mikalai
      Birukou via kwlug-disc wrote:<br>
    </div>
    <blockquote type="cite">
      
      <p>I've duckduckgo-ed GET /download.php?file=../.</p>
      <p>This shows up <a href="https://www.tutorialrepublic.com/php-tutorial/php-file-download.php" target="_blank">https://www.tutorialrepublic.com/php-tutorial/php-file-download.php</a></p>
      <p>There is download.php example file in it with</p>
      <p>```</p>
      <pre><code><span>    <span>$file</span> <span>=</span> <span>urldecode</span><span>(</span><span>$_REQUEST</span><span>[</span><span>"file"</span><span>]</span><span>)</span><span>;</span> <span>// Decode URL-encoded string</span>
    <span>$filepath</span> <span>=</span> <span>"images/"</span> <span>.</span> <span>$file</span><span>;</span>
</span></code></pre>
      <p>```</p>
      <p>PHP isn't my language, but nothing here jumps out, saying
        sanitize path.</p>
      <p>How many people can use this example to add a download
        functionality to whatever app/site. StackOverflow style
        programming?<br>
      </p>
      <p>May be its a good idea to search system for download.php?</p>
      <p><br>
      </p>
      <div>On 2019-12-28 1:49 a.m., Paul Nijjar
        via kwlug-disc wrote:<br>
      </div>
      <blockquote type="cite">
        <pre>In my Apache logs I saw something like this, and my search-engine
skills are weak: 

133.18.209.124 - - [27/Dec/2019:04:09:39 -0500] "GET /download.php?file=../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 

It's pretty obvious what they are trying to do, but I am having
trouble figuring out what the target is, exactly. Is this an exploit
in a popular web package I should know about?

- Paul
</pre>
      </blockquote>
      <br>
      <fieldset></fieldset>
      <pre>_______________________________________________
kwlug-disc mailing list
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a>
</pre>
    </blockquote>
    <div>-- <br>
      Mikalai Birukou <br>
      CEO | 3NSoft Inc.</div>
  </div>

_______________________________________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer" target="_blank">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>John Van Ostrand<br></div><div>At large on sabbatical<br></div><br></div></div>