<div dir="ltr">I think you can also be exposed if you horribly misconfigure your web server to allow access to those directories and files.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Dec 28, 2019 at 10:06 AM Mikalai Birukou via kwlug-disc <<a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Yes, this dot operator is not sanitizing paths.</p>
<p>Is this a "let's try" automated trawling of web? I wonder, what
region is request IP from.<br>
</p>
<div>On 2019-12-28 10:00 a.m., Mikalai
Birukou via kwlug-disc wrote:<br>
</div>
<blockquote type="cite">
<p>I've duckduckgo-ed GET /download.php?file=../.</p>
<p>This shows up <a href="https://www.tutorialrepublic.com/php-tutorial/php-file-download.php" target="_blank">https://www.tutorialrepublic.com/php-tutorial/php-file-download.php</a></p>
<p>There is download.php example file in it with</p>
<p>```</p>
<pre><code><span> <span>$file</span> <span>=</span> <span>urldecode</span><span>(</span><span>$_REQUEST</span><span>[</span><span>"file"</span><span>]</span><span>)</span><span>;</span> <span>// Decode URL-encoded string</span>
<span>$filepath</span> <span>=</span> <span>"images/"</span> <span>.</span> <span>$file</span><span>;</span>
</span></code></pre>
<p>```</p>
<p>PHP isn't my language, but nothing here jumps out, saying
sanitize path.</p>
<p>How many people can use this example to add a download
functionality to whatever app/site. StackOverflow style
programming?<br>
</p>
<p>May be its a good idea to search system for download.php?</p>
<p><br>
</p>
<div>On 2019-12-28 1:49 a.m., Paul Nijjar
via kwlug-disc wrote:<br>
</div>
<blockquote type="cite">
<pre>In my Apache logs I saw something like this, and my search-engine
skills are weak:
133.18.209.124 - - [27/Dec/2019:04:09:39 -0500] "GET /download.php?file=../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
It's pretty obvious what they are trying to do, but I am having
trouble figuring out what the target is, exactly. Is this an exploit
in a popular web package I should know about?
- Paul
</pre>
</blockquote>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
kwlug-disc mailing list
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a>
</pre>
</blockquote>
<div>-- <br>
Mikalai Birukou <br>
CEO | 3NSoft Inc.</div>
</div>
_______________________________________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer" target="_blank">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>John Van Ostrand<br></div><div>At large on sabbatical<br></div><br></div></div>