Description
-
NGINX is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
The NGINX alias directive defines a replacement for the specified location.
For example, with the following configuration:location /i/ { alias /data/w3/images/; }on request of /i/top.gif, the file /data/w3/images/top.gif will be sent.
But, if the location doesn't ends with directory separator (i.e. /):location /i { alias /data/w3/images/; }on request of /i../app/config.py, the file /data/w3/app/config.py will be sent.
The incorrect configuration of the alias could allow an attacker to read file stored outside the target folder.
The following tests were performed to confirm this vulnerability:- alias../ => HTTP status code 403
- alias.../ => HTTP status code 404
- alias../../ => HTTP status code 403
- alias../../../../../../../../../../../ => HTTP status code 400
- alias../ => HTTP status code 403
Remediation
- Find all NGINX alias directives and make sure that the parent prefixed location ends with directory separator.
References
Severity
Classification
Tags
Related Vulnerabilities
- WordPress Plugin WP AmASIN-The Amazon Affiliate Shop Directory Traversal (0.9.6)
- WordPress Plugin SE HTML5 Album Audio Player Directory Traversal (1.1.0)
- WordPress Plugin MAC PHOTO GALLERY 'albid' Parameter Arbitrary File Disclosure (2.8)
- WordPress Plugin ChimpMate-WordPress MailChimp Assistant Local File Inclusion (1.3.2)
- WordPress Plugin BackWPup Multiple Local File Include Vulnerabilities (1.5.2)