/operate/ - Endchan Operations

Let us know what's up

Posting mode: Reply

Check to confirm you're not a robot
Name
Email
Subject
Comment
Password
Drawing x size canvas
File(s)

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom

Expand All Images


Odili Anonymous 09/16/2019 (Mon) 07:36:38 [Preview] No. 10622
Look at these filenames. Is this something fucky?

https://endchan.net/b/res/23095.html#23116
/tmp/phpxglr3v
https://endchan.net/christian/res/211.html#235
/tmp/phpcguJ2E
https://endchan.net/pol/res/65362.html#75002
/tmp/phple1Evt

What is in those folders server side?


Anonymous 09/16/2019 (Mon) 07:38:39 [Preview] No.10623 del
>>10622
nothing and we don't use php


Bring out yer dead! Anonymous 09/16/2019 (Mon) 08:17:14 [Preview] No.10624 del
(160.56 KB )
Let's try up a fun test of something ...


Anonymous 09/16/2019 (Mon) 08:37:33 [Preview] No.10625 del
Fair warning, I'm not any of the site staff. Just a random drive-by anon. Take with a grain of salt.
>>10622
Looks like a 1990s style filename path hack exploit attempt. Except that shit don't work no more. At least not with any browsers made in the last ten years or so. Example:
>>10624
The filename in this case (a jpeg image) was changed to a nonsensical "\tmp\name\Angela\Devi\evil\hackings\", although it appears not to have been shown in the posting. No matter.
Typically, imageboard systems scan the file without regard to the filename. At a minimum they run it through a thumnailer for display in-thread. Lynxchan can be set to identify/verify the filetype and will correctly set the thread filename based off of what it finds. So if I upload 1.jpg but it's really a png file, the name in the thread will be something like: [a string of numbers and letters].png and it correctly identified the file above as a jpeg, even with a completely BS filename.
The last applications I know of where this would work as an exploit would be some old zip utilities.
Anyway, someone maybe trying to play games with the internal file scanner (unlikely to accomplish anything but was a hell-on-wheels exploit back in the day) or they just like being weird. Or nostalgic.


Anonymous 09/16/2019 (Mon) 13:32:35 [Preview] No.10626 del
>>10625
Addendum: the slashes in the example are in the wrong direction.
Using unicode I can craft a filename with what looks to be a forward slash, and looks legitimately so in the file upload field, but still isn't a proper filesystem forward slash and can't be interpreted as such by anything other than the human eye.
Harmless shenanigans.



Top | Return | Catalog | Post a reply