1 |
On 2/28/22 5:04 AM, Adam Carter wrote: |
2 |
> If you put that url in a browser does it show your passwd file? I assume |
3 |
> because the logs say 200 it will. If so shut down the httpd and reset |
4 |
> all the passwords |
5 |
|
6 |
Note the question mark after the leading slash. As such, the path |
7 |
traversal component is for a query parameter, named f / file / filename |
8 |
/ id. |
9 |
|
10 |
There is a reasonable chance that the web server returned the index / |
11 |
default page for the document root and that the query parameter didn't |
12 |
actually change any thing. |
13 |
|
14 |
With this in mind, it would be normal to return a 200 status code for |
15 |
the index / default page for the document root. |
16 |
|
17 |
> Check your httpd config… seems odd that an old attack like this would |
18 |
> still work. |
19 |
|
20 |
If this did return the actual contents of /etc/password then there is |
21 |
quite likely a different problem in that the index / default page is |
22 |
accepting query parameters as paths, independent of the HTTP daemon. |
23 |
|
24 |
Aside: +1 to everything that Stefan S. said. |
25 |
|
26 |
|
27 |
|
28 |
-- |
29 |
Grant. . . . |
30 |
unix || die |