NOAA's NNVL Earth Products Directory Traversal Vulnerability

While looking for a nice new wallpaper, I came across this page: Earth Daily Color It's very nice, so I hit the download button and noticed I got a path of this:

https://www.nnvl.noaa.gov/view/GetFile.php?Path=%2Fvar%2Fwww%2Fhtml%2Fnnvl%2FPortal%2FProducts%2FTRUE%2FImages%2FColor%2FDaily%2FTRUE.daily.20170325.color.png

Strange, There is a full path to the file I had requested. I wonder if there is any input checking at all.

/view/GetFile.php?Path=/etc/passwd

Nope! It downloaded the server's passwd! At this point I completely stopped and starting finding out a way to get ahold of NOAA, I found the webmaster [at] noaa.gov email address, wrote a little letter explaining the issue and waited…

Two months (April 2017) later after getting no reply, I checked the URL again, I could still access the the file! Tried looking up their IT team but after some searching gave up and promptly forgot about it.

I'm happy to report that after checking today, The issue has been resolved! I do kind of wish that there was more publicly published methods of getting in contact with the correct people in the US Government when a citizen finds a Vulnerability. I am glad they did get it fixed, I enjoy NOAA's Products and wish they got more press then they do. Check out their NNVL FTP Sometime, Amazing Images to be had of the earth.