We noticed that server logs debug info to the stdout.
First idea was path traversal, because server stores files with the names from the requests: path = './' + eikooc + '/' + path
Path traversal in the path didn't work at all, but eikooc
(reversed cookie) was a user directory. So we sent such payload:
TEG / PTTH\1.1
eikooc: ../