forked from yandex/gixy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[alias_traversal] Added documentation
- Loading branch information
Showing
4 changed files
with
52 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# [alias_traversal] Path traversal via misconfigured alias | ||
|
||
The [alias](https://nginx.ru/ru/docs/http/ngx_http_core_module.html#alias) directive is used to replace path of the specified location. | ||
For example, with the following configuration: | ||
```nginx | ||
location /i/ { | ||
alias /data/w3/images/; | ||
} | ||
``` | ||
on request of `/i/top.gif`, the file `/data/w3/images/top.gif` will be sent. | ||
|
||
But, if the location doesn't ends with directory separator (i.e. `/`): | ||
```nginx | ||
location /i { | ||
alias /data/w3/images/; | ||
} | ||
``` | ||
on request of `/i../app/config.py`, the file `/data/w3/app/config.py` will be sent. | ||
|
||
In other words, the incorrect configuration of `alias` could allow an attacker to read file stored outside the target folder. | ||
|
||
## What can I do? | ||
It's pretty simple: | ||
- you must find all the `alias` directives; | ||
- make sure that the parent prefixed location ends with directory separator. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# [alias_traversal] Path traversal при использовании alias | ||
|
||
Директива [alias](https://nginx.ru/ru/docs/http/ngx_http_core_module.html#alias) используется для замены пути указанного локейшена. | ||
К примеру, для конфигурации: | ||
```nginx | ||
location /i/ { | ||
alias /data/w3/images/; | ||
} | ||
``` | ||
на запрос `/i/top.gif` будет отдан файл `/data/w3/images/top.gif`. | ||
|
||
Однако, если локейшен не оканчивается разделителем директорий (`/`): | ||
```nginx | ||
location /i { | ||
alias /data/w3/images/; | ||
} | ||
``` | ||
то на запрос `/i../app/config.py` будет отдан файл `/data/w3/app/config.py`. | ||
|
||
Иными словами, не корректная конфигурация `alias` может позволить злоумышленнику прочесть файл за пределами целевой директории. | ||
|
||
## Что делать? | ||
Все довольно просто: | ||
- необходимо найти все директивы `alias`; | ||
- убедится что вышестоящий префиксный локейшен оканчивается на `/`. |