Path traversal via misconfigured NGINX alias

Description
  • NGINX is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
    The NGINX alias directive defines a replacement for the specified location.
    For example, with the following configuration:
    location /i/ {
        alias /data/w3/images/;
    }
    
    on request of /i/top.gif, the file /data/w3/images/top.gif will be sent.

    But, if the location doesn't ends with directory separator (i.e. /):
    location /i {
        alias /data/w3/images/;
    }
    
    on request of /i../app/config.py, the file /data/w3/app/config.py will be sent.

    The incorrect configuration of the alias could allow an attacker to read file stored outside the target folder.

    The following tests were performed to confirm this vulnerability:
    • alias../ => HTTP status code 403
    • alias.../ => HTTP status code 404
    • alias../../ => HTTP status code 403
    • alias../../../../../../../../../../../ => HTTP status code 400
    • alias../ => HTTP status code 403
Remediation
  • Find all NGINX alias directives and make sure that the parent prefixed location ends with directory separator.
References