<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Yes, this dot operator is not sanitizing paths.</p>
    <p>Is this a "let's try" automated trawling of web? I wonder, what
      region is request IP from.<br>
    </p>
    <div class="moz-cite-prefix">On 2019-12-28 10:00 a.m., Mikalai
      Birukou via kwlug-disc wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:04545a21-8986-cf6e-b4f8-82d6916d3c0e@3nsoft.com">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <p>I've duckduckgo-ed GET /download.php?file=../.</p>
      <p>This shows up <a class="moz-txt-link-freetext"
href="https://www.tutorialrepublic.com/php-tutorial/php-file-download.php"
          moz-do-not-send="true">https://www.tutorialrepublic.com/php-tutorial/php-file-download.php</a></p>
      <p>There is download.php example file in it with</p>
      <p>```</p>
      <pre class="syntax-highlighter line-numbers language-php"><code class=" language-php"><span class="token php language-php">    <span class="token variable">$file</span> <span class="token operator">=</span> <span class="token function">urldecode</span><span class="token punctuation">(</span><span class="token variable">$_REQUEST</span><span class="token punctuation">[</span><span class="token double-quoted-string string">"file"</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// Decode URL-encoded string</span>
    <span class="token variable">$filepath</span> <span class="token operator">=</span> <span class="token double-quoted-string string">"images/"</span> <span class="token punctuation">.</span> <span class="token variable">$file</span><span class="token punctuation">;</span>
</span></code></pre>
      <p>```</p>
      <p>PHP isn't my language, but nothing here jumps out, saying
        sanitize path.</p>
      <p>How many people can use this example to add a download
        functionality to whatever app/site. StackOverflow style
        programming?<br>
      </p>
      <p>May be its a good idea to search system for download.php?</p>
      <p><br>
      </p>
      <div class="moz-cite-prefix">On 2019-12-28 1:49 a.m., Paul Nijjar
        via kwlug-disc wrote:<br>
      </div>
      <blockquote type="cite"
        cite="mid:20191228064953.GC1207@nb-heartburn">
        <pre class="moz-quote-pre" wrap="">In my Apache logs I saw something like this, and my search-engine
skills are weak: 

133.18.209.124 - - [27/Dec/2019:04:09:39 -0500] "GET /download.php?file=../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 

It's pretty obvious what they are trying to do, but I am having
trouble figuring out what the target is, exactly. Is this an exploit
in a popular web package I should know about?

- Paul
</pre>
      </blockquote>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
kwlug-disc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a>
<a class="moz-txt-link-freetext" href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a>
</pre>
    </blockquote>
    <div class="moz-signature">-- <br>
      Mikalai Birukou <br>
      CEO | 3NSoft Inc.</div>
  </body>
</html>