On 2/28/22 5:04 AM, Adam Carter wrote:
If you put that url in a browser does it show your passwd file? I assume because the logs say 200 it will. If so shut down the httpd and reset all the passwords
Note the question mark after the leading slash. As such, the path traversal component is for a query parameter, named f / file / filename / id.
There is a reasonable chance that the web server returned the index / default page for the document root and that the query parameter didn't actually change any thing.
With this in mind, it would be normal to return a 200 status code for the index / default page for the document root.
Check your httpd config… seems odd that an old attack like this would still work.
If this did return the actual contents of /etc/password then there is quite likely a different problem in that the index / default page is accepting query parameters as paths, independent of the HTTP daemon.
Aside: +1 to everything that Stefan S. said. -- Grant. . . . unix || die
