53 lines
1.2 KiB
Markdown
53 lines
1.2 KiB
Markdown
|
# Nginx
|
||
|
|
|
||
|
|
## Alias LFI Misconfiguration
|
||
|
|
|
||
|
|
Inside the Nginx configuration look the "location" statements, if someone looks like:
|
||
|
|
|
||
|
|
```text
|
||
|
|
location /imgs {
|
||
|
|
alias /path/images/
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
There is a LFI vulnerability because:
|
||
|
|
|
||
|
|
```text
|
||
|
|
/imgs../flag.txt
|
||
|
|
```
|
||
|
|
|
||
|
|
Transforms to:
|
||
|
|
|
||
|
|
```text
|
||
|
|
/path/images/../flag.txt
|
||
|
|
```
|
||
|
|
|
||
|
|
The correct configuration will be:
|
||
|
|
|
||
|
|
```text
|
||
|
|
location /imgs/ {
|
||
|
|
alias /path/images/
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
**So, if you find some Nginx server you should check for this vulnerability. Also, you can discover it if you find that the files/directories brute force is behaving weird.**
|
||
|
|
|
||
|
|
More info: [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)
|
||
|
|
|
||
|
|
Accunetix tests:
|
||
|
|
|
||
|
|
```text
|
||
|
|
alias../ => HTTP status code 403
|
||
|
|
alias.../ => HTTP status code 404
|
||
|
|
alias../../ => HTTP status code 403
|
||
|
|
alias../../../../../../../../../../../ => HTTP status code 400
|
||
|
|
alias../ => HTTP status code 403
|
||
|
|
```
|
||
|
|
|
||
|
|
## Static Analyzer tools
|
||
|
|
|
||
|
|
### [GIXY](https://github.com/yandex/gixy)
|
||
|
|
|
||
|
|
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
|
||
|
|
|