[Nginx] nginx directory traversal vulnerability

Language 2023-08-25 17:59:50 views: null

foreword

In addition to the X-Forwarded-For forgery client IP vulnerability, it is found that the vulnerability about directory traversal needs to be modified. Here is a brief record.

1 Introduction

Nginx Directory Traversal (Nginx Directory Traversal) is a security vulnerability that typically affects web applications on Nginx servers. The vulnerability could allow an attacker to gain unauthorized access to files and directories on the system by exploiting a misconfiguration or code vulnerability in the application code.

Simply put, a directory traversal vulnerability may exist when a web application on an Nginx server allows users to access directories and files through URLs, and at the same time injects the directory and file names in the URL into the server-side response. An attacker can bypass an application's access controls by injecting special character sequences to gain access to sensitive files or directories.

2. Introduction to problem analysis

There are many examples of descriptions on the Internet, you can see Nginx Vulnerability Repair: Directory Traversal (Directory Traversal) Vulnerability Reappearance and Repair
Note: This vulnerability mainly occurs when alias accesses static resource files.

For example, Nginx is configured as follows:

location /static {
    
    
    alias /static/images/;
}

A web application allows users to access static files via a URL, as follows:

http://www.example.com/static/images/picture.jpg

If an attacker is able to use a directory traversal vulnerability to access unauthorized directories and files in the application, they may be able to access static files via the following URLs:

http://www.example.com/static../../../../etc/passwd

The effect of the URL above is to traverse up to the root directory and then access /etc/passwdthe files, which in turn access files containing sensitive information such as user credentials.

Note:
/static../Indicates /static/images/..that /staticit is replaced by alias /static/images/.

3. Solve

According to the above description of the problem, we can intuitively understand the problem. The main reason is that the attacker can ..obtain it by adding /static../, so that the actual request address becomes /static/images/..and then conducts illegal access.

The modification is also very simple, just add it at the end of the location URI /, as follows:

location /static/ {
    
    
    alias /static/images/;
}

After checking some information, I feel that the explanation is quite reasonable, as follows:

3.1 Explanation: why joining /can solve it✨

The original problem is that there is no end restriction in /staticthe back. As long as the alias is matched in the front, it will be replaced by the corresponding URI by alias, and then a ..new path will be formed and attacked later.

Add it now /to solve it, because /it means that it must be a directory, so in this location, only /static/requests for its subdirectories will be responded to, and files outside the website directory cannot be obtained .

In addition, /after adding, the URI needs /static/to be replaced by alias, and cannot be added ..to /static../access.

3.2 Explanation 2: What is a directory and what is a file

Ending with /indicates that the resource is a directory, not a file. When configuring the location in Nginx, if a URI ending with a slash is used, Nginx will treat it as a directory instead of a file, so as to decide how to present it to the client.

In the Unix/Linux operating system, a file can be various types such as text file, binary file, picture, audio, etc., and a directory is used to store files and other directories. Similar to folders in the Windows operating system, a directory can contain multiple files or other directories. Even if the directory is empty, it will occupy a certain amount of disk space and is displayed as a folder icon.

In Nginx, a URI can represent a file or a directory. If a URI ends with a slash, Nginx will think it is a directory rather than a file. At this point, you can display the contents of the directory by accessing the Index file under the URI. For example, if the browser visits , Nginx will automatically search for files named , , , etc. http://example.com/files/under the URI , and display them.index.htmlindex.htmindex.php

4. Supplement

Regarding the processing of "/" at the end of location in Nginx configuration

Guess you like

Origin blog.csdn.net/weixin_42516475/article/details/131109530
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com