Hi Friends,
Lets have some fun again, I have abit busy lately even there were so many holidays. I like to share small tutorial on exploitation toward a common missed configuration on NGINX that allowing the attacker to do path traversal on the server
Off By Slash
Lets take a look below NGINX conf below where missing trailing slash in the location directive combined with the alias directive can make it possible to read the source code of the web application
Lets take some more details on how this miss configuration would lead to path traversal. Take a look on the below configuration. We can assume that only http://apiserver/v1/ can be accessed from the user
So when the is request made by the user http://server/api/user then the parser engine will normalize the request into form like below. The prefix is then removed from the URL so the path /user is left and added to the proxy_pass to be like below
Exploitation
This misconfiguration can be exploited by requesting http://server/api../ which will result in Nginx requesting the URL http://apiserver/v1/../ that is normalized to http://apiserver/. It could for example lead to the Apache server-status being exposed with the URL http://server/api../server-status which show information like below details
Based on the above situation then we can leverage the path traversal to another exploitation such as log poisoning to enable remote command execution
Remediation
Find all NGINX alias directives and make sure that the parent prefixed location ends with directory separator.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 