| 1 |
On 2/28/22 5:04 AM, Adam Carter wrote: |
| 2 |
> If you put that url in a browser does it show your passwd file? I assume |
| 3 |
> because the logs say 200 it will. If so shut down the httpd and reset |
| 4 |
> all the passwords |
| 5 |
|
| 6 |
Note the question mark after the leading slash. As such, the path |
| 7 |
traversal component is for a query parameter, named f / file / filename |
| 8 |
/ id. |
| 9 |
|
| 10 |
There is a reasonable chance that the web server returned the index / |
| 11 |
default page for the document root and that the query parameter didn't |
| 12 |
actually change any thing. |
| 13 |
|
| 14 |
With this in mind, it would be normal to return a 200 status code for |
| 15 |
the index / default page for the document root. |
| 16 |
|
| 17 |
> Check your httpd config… seems odd that an old attack like this would |
| 18 |
> still work. |
| 19 |
|
| 20 |
If this did return the actual contents of /etc/password then there is |
| 21 |
quite likely a different problem in that the index / default page is |
| 22 |
accepting query parameters as paths, independent of the HTTP daemon. |
| 23 |
|
| 24 |
Aside: +1 to everything that Stefan S. said. |
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
-- |
| 29 |
Grant. . . . |
| 30 |
unix || die |
Archives