Wasu sabobin tare da nginx sun kasance masu rauni ga fasahar Nginx Alias Traversal, wanda aka gabatar a taron Blackhat a cikin 2018 kuma yana ba da damar yin amfani da fayiloli da kundayen adireshi da ke waje da tushen tushen da aka kayyade a cikin umarnin "alias". Matsalar tana bayyana ne kawai a cikin jeri tare da umarnin "laƙabi" da aka sanya a cikin "wuri" block, wanda ma'anarsa ba ta ƙare da "/" hali ba, yayin da "alias" ya ƙare da "/".
Asalin matsalar shine fayilolin don tubalan tare da umarnin alias ana ba da su ta hanyar haɗa hanyar da aka nema, bayan daidaita shi tare da abin rufe fuska daga umarnin wurin da yanke ɓangaren hanyar da aka ƙayyade a cikin wannan abin rufe fuska. Misali na sanyi mai rauni wanda aka nuna a sama, mai hari zai iya buƙatar fayil ɗin "/ img../test.txt" kuma wannan buƙatar za ta dace da abin rufe fuska da aka ƙayyade a wurin "/ img", bayan haka ragowar wutsiya "../ test.txt" za a haɗe zuwa hanyar daga umarnin alias "/var/images/" kuma a sakamakon haka za a buƙaci fayil ɗin "/var/images/../test.txt". Don haka, maharan za su iya samun dama ga kowane fayiloli a cikin littafin "/ var", kuma ba kawai fayiloli a cikin "/ var/images/", misali, don zazzage log ɗin nginx, zaku iya aika buƙatar "/ img../log/ nginx/ access.log".
A cikin saituna waɗanda ƙimar umarnin alias ɗin ba ta ƙare tare da "/" hali (misali, "alias / var/images;"), maharin ba zai iya canzawa zuwa kundin adireshi na iyaye ba, amma yana iya buƙatar wani kundin adireshi a / var. wanda sunansa ya fara da ƙayyadaddun ƙayyadaddun tsarin. Misali, ta neman "/img.old/test.txt" za ka iya samun dama ga directory "var/images.old/test.txt".
Binciken wuraren ajiya akan GitHub ya nuna cewa kurakurai a cikin tsarin nginx wanda ke haifar da matsalar har yanzu ana samun su a cikin ayyukan gaske. Misali, an gano gaban matsala a bayan mai sarrafa kalmar sirri na Bitwarden kuma ana iya amfani da shi don samun damar duk fayiloli a cikin /etc/bitwarden directory (an bayar da buƙatun / haɗe-haɗe daga / sauransu/bitwarden/ haɗe-haɗe /). ciki har da bayanan da aka adana a wurin tare da kalmomin shiga "vault. db", takaddun shaida da rajistan ayyukan, wanda ya isa ya aika buƙatun "/attachments../vault.db", "/attachments../identity.pfx", "/attachments ../logs/api.log", da sauransu. .P.
Har ila yau, hanyar ta yi aiki tare da Google HPC Toolkit, inda / aka tura buƙatun zuwa ga "../hpc-toolkit/community/front-end/website/static/" directory. Don samun bayanai tare da maɓalli na sirri da takaddun shaida, maharin zai iya aika tambayoyin "/static../.secret_key" da "/static../db.sqlite3".
source: budenet.ru