Ma seva ena a Nginx amakhalabe pachiwopsezo cha njira ya Nginx Alias ββββTraversal, yomwe idaperekedwa pamsonkhano wa Blackhat mmbuyomo mu 2018 ndipo imalola mwayi wopeza mafayilo ndi zolemba zomwe zili kunja kwa chikwatu chomwe chafotokozedwa mu "alias" malangizo. Vutoli limangowonekera pamasinthidwe omwe ali ndi malangizo a "alias" omwe amaikidwa mkati mwa "malo" block yomwe chizindikiro chake sichimatha ndi "/", pomwe "alias" imatha ndi "/".
Chofunikira chavuto ndichakuti mafayilo a midadada okhala ndi malangizo a alias amatumizidwa ndikumangirira njira yomwe mwapemphedwa, mutafanizira ndi chigoba kuchokera kumalo owongolera ndikudula gawo lanjira lomwe lafotokozedwa mu chigobachi. Chitsanzo cha masinthidwe omwe ali pachiwopsezo omwe awonetsedwa pamwambapa, wowukira atha kupempha fayilo "/img../test.txt" ndipo pempholi ligwera pansi pa chigoba cha "/img" chomwe chafotokozedwa pamalowo, kenako mchira wotsalira ".. /test.txt" idzaphatikizidwa ku njira yochokera ku mawu odziwika "/var/images/" ndipo pamapeto pake idzapempha fayilo "/var/images/../test.txt". Chifukwa chake, owukira amatha kupeza mafayilo aliwonse mu "/ var" chikwatu, osati mafayilo okha "/var/images/", mwachitsanzo, kutsitsa chipika cha nginx, mutha kutumiza pempho "/img../log/ nginx/ access.log".
M'makonzedwe omwe kufunikira kwa malangizowo sikutha ndi "/" khalidwe (mwachitsanzo, "alias / var / zithunzi;"), wowukirayo sangasinthe ku chikwatu cha makolo, koma akhoza kupempha chikwatu china mu / var. yemwe dzina lake limayamba ndi zomwe zafotokozedwa mu kasinthidwe. Mwachitsanzo, popempha "/img.old/test.txt" mutha kupeza chikwatu "var/images.old/test.txt".
Kuwunika kwa nkhokwe pa GitHub kunawonetsa kuti zolakwika pamasinthidwe a nginx zomwe zimatsogolera ku vutoli zikuchitikabe muma projekiti enieni. Mwachitsanzo, vutoli lidazindikirika kumbuyo kwa woyang'anira mawu achinsinsi a Bitwarden ndipo litha kugwiritsidwa ntchito kupeza mafayilo onse mu / etc/bitwarden directory (/ zopempha zophatikiziridwa zidaperekedwa kuchokera ku / etc/bitwarden/attachments/), kuphatikiza "vault". .db", satifiketi ndi zipika, kupeza zomwe zinali zokwanira kutumiza zopempha "/attachments../vault.db", "/attachments../identity.pfx", "/attachments../logs/api.log ", ndi zina .P.
Njirayi inagwiranso ntchito ndi Google HPC Toolkit, yomwe inalozeranso / zopempha zokhazikika ku "../hpc-toolkit/community/front-end/website/static/" directory. Kuti mupeze database yokhala ndi kiyi yachinsinsi ndi zidziwitso, wowukira amatha kutumiza zopempha "/static../.secret_key" ndi "/static../db.sqlite3".
Source: opennet.ru