Path traversal via NGINX alias

Hi Friends,

Lets have some fun again, I have abit busy lately even there were so many holidays. I like to share small tutorial on exploitation toward a common missed configuration on NGINX that allowing the attacker to do path traversal on the server

Off By Slash

Lets take a look below NGINX conf below where missing trailing slash in the location directive combined with the alias directive can make it possible to read the source code of the web application

Lets take some more details on how this miss configuration would lead to path traversal. Take a look on the below configuration. We can assume that only http://apiserver/v1/ can be accessed from the user

So when the is request made by the user http://server/api/user then the parser engine will normalize the request into form like below. The prefix is then removed from the URL so the path /user is left and added to the proxy_pass to be like below

Exploitation

This misconfiguration can be exploited by requesting http://server/api../ which will result in Nginx requesting the URL http://apiserver/v1/../ that is normalized to http://apiserver/. It could for example lead to the Apache server-status being exposed with the URL http://server/api../server-status which show information like below details

Based on the above situation then we can leverage the path traversal to another exploitation such as log poisoning to enable remote command execution

Remediation

Find all NGINX alias directives and make sure that the parent prefixed location ends with directory separator.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s