Description

NGINX is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
The NGINX alias directive defines a replacement for the specified location.
For example, with the following configuration: 

location /i/ {
    alias /data/w3/images/;
}
on request of /i/top.gif, the file /data/w3/images/top.gif will be sent.

But, if the location doesn't ends with directory separator (i.e. /): 
location /i {
    alias /data/w3/images/;
}
on request of /i../app/config.py, the file /data/w3/app/config.py will be sent.

The incorrect configuration of the alias could allow an attacker to read file stored outside the target folder.

The following tests were performed to confirm this vulnerability:
  • alias../ => HTTP status code 403
  • alias.../ => HTTP status code 404
  • alias../../ => HTTP status code 403
  • alias../../../../../../../../../../../ => HTTP status code 400
  • alias../ => HTTP status code 403

Remediation

Find all NGINX alias directives and make sure that the parent prefixed location ends with directory separator.

References

Module ngx_http_core_module

[alias_traversal] Path traversal via misconfigured alias

Related Vulnerabilities

WordPress Plugin WP Cost Estimation & Payment Forms Builder Directory Traversal (9.659)

WordPress Plugin OPS Old Post Spinner 'ops_file' Parameter Local File Include (2.2.1)

WordPress 4.5.3 Directory Traversal Vulnerability (4.5.3 - 4.5.3)

WordPress Plugin A/B Test 'action' Parameter Directory Traversal (1.0.6)

WordPress Plugin Paid Memberships Pro Directory Traversal (1.7.14.2)

Severity

High

Classification

CWE-22

Tags

Directory Traversal