<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Yes, this dot operator is not sanitizing paths.</p>
<p>Is this a "let's try" automated trawling of web? I wonder, what
region is request IP from.<br>
</p>
<div class="moz-cite-prefix">On 2019-12-28 10:00 a.m., Mikalai
Birukou via kwlug-disc wrote:<br>
</div>
<blockquote type="cite"
cite="mid:04545a21-8986-cf6e-b4f8-82d6916d3c0e@3nsoft.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>I've duckduckgo-ed GET /download.php?file=../.</p>
<p>This shows up <a class="moz-txt-link-freetext"
href="https://www.tutorialrepublic.com/php-tutorial/php-file-download.php"
moz-do-not-send="true">https://www.tutorialrepublic.com/php-tutorial/php-file-download.php</a></p>
<p>There is download.php example file in it with</p>
<p>```</p>
<pre class="syntax-highlighter line-numbers language-php"><code class=" language-php"><span class="token php language-php"> <span class="token variable">$file</span> <span class="token operator">=</span> <span class="token function">urldecode</span><span class="token punctuation">(</span><span class="token variable">$_REQUEST</span><span class="token punctuation">[</span><span class="token double-quoted-string string">"file"</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// Decode URL-encoded string</span>
<span class="token variable">$filepath</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"images/"</span> <span class="token punctuation">.</span> <span class="token variable">$file</span><span class="token punctuation">;</span>
</span></code></pre>
<p>```</p>
<p>PHP isn't my language, but nothing here jumps out, saying
sanitize path.</p>
<p>How many people can use this example to add a download
functionality to whatever app/site. StackOverflow style
programming?<br>
</p>
<p>May be its a good idea to search system for download.php?</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 2019-12-28 1:49 a.m., Paul Nijjar
via kwlug-disc wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20191228064953.GC1207@nb-heartburn">
<pre class="moz-quote-pre" wrap="">In my Apache logs I saw something like this, and my search-engine
skills are weak:
133.18.209.124 - - [27/Dec/2019:04:09:39 -0500] "GET /download.php?file=../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
It's pretty obvious what they are trying to do, but I am having
trouble figuring out what the target is, exactly. Is this an exploit
in a popular web package I should know about?
- Paul
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
kwlug-disc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a>
<a class="moz-txt-link-freetext" href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a>
</pre>
</blockquote>
<div class="moz-signature">-- <br>
Mikalai Birukou <br>
CEO | 3NSoft Inc.</div>
</body>
</html>