Qaar ka mid ah server-yada leh nginx waxay weli u nugul yihiin farsamada Nginx Alias ββββTraversal, kaas oo lagu soo jeediyay shirkii Blackhat ee 2018 oo u oggolaanaya marin u helka faylasha iyo hagaha ku yaal meel ka baxsan tusaha xididka ee lagu qeexay dardaaranka "alias". Dhibaatadu waxay u muuqataa kaliya qaabaynta oo leh "alias" dardaaran ah oo lagu dhejiyay gudaha "goobta", xuduudaheedu kuma dhammaanayo "/" dabeecad, halka "alias" uu ku dhammaanayo "/".
Nuxurka dhibaatadu waa in faylasha loogu talagalay blocks ee leh tilmaamaha loo yaqaan 'alias directory' lagu bixiyo iyadoo la raacayo dariiqa la codsaday, ka dib marka lagu dhejiyo maaskarada laga soo bilaabo dardaaranka goobta oo la gooyo qayb ka mid ah waddada lagu qeexay maaskaradan. Tusaale ahaan qaabeynta nugul ee kor lagu muujiyey, weeraryahanku wuxuu codsan karaa faylka "/ img../test.txt" codsigani wuxuu la mid noqon doonaa maaskaro lagu qeexay goobta "/ img", ka dib dabada soo hartay "../ tijaabada Markaa, weerarayaashu waxay geli karaan faylal kasta oo ku jira buugga "/ var", oo ma aha oo keliya faylasha "/ var/images/", tusaale ahaan, si loo soo dejiyo log nginx, waxaad soo diri kartaa codsiga "/ img../log/ nginx/ access.log".
Habaynta kaas oo qiimaha dardaaranka naanaysigu aanu ku dhammaanayn "/" dabeecad (tusaale, "alias /var/images;"), weeraryahanku ma beddeli karo buugga waalidka, laakiin wuxuu codsan karaa hage kale gudaha /var Magaciisu wuxuu ku bilaabmayaa qeexan qaabeynta. Tusaale ahaan, adoo codsanaya "/img.old/test.txt" waxaad gali kartaa hagaha "var/images.old/test.txt".
Falanqaynta kaydka GitHub waxay muujisay in khaladaadka ku jira qaabeynta nginx ee u horseedaya dhibaatada weli laga helayo mashaariicda dhabta ah. Tusaale ahaan, joogitaanka dhibaatada waxaa lagu ogaaday dhabarka maareeyaha erayga sirta ah ee Bitwarden waxaana loo isticmaali karaa in lagu galo dhammaan faylasha ku jira buugga /etc/bitwarden (codsiyada / lifaaqyada waxaa laga soo saaray /etc/bitwarden/ lifaaqyada/), oo ay ku jiraan xog-ururinta halkaas ku kaydsan oo leh furaha sirta ah ee βvault. dbβ, shahaado iyo qoraallo, kuwaas oo ay ku filnayd in la diro codsiyo "/attachments../vault.db", "/attachments../identity.pfx", "/attachments ../logs/api.log", iwm. .P.
Habka waxa kale oo uu la shaqeeyay Google HPC Toolkit, halkaas oo /codsiyada joogtada ah loo wareejiyay "../hpc-toolkit/community/front-end/website/static/" directory. Si loo helo xog ururin leh furaha gaarka ah iyo aqoonsiga, weeraryahanku wuxuu soo diri karaa weydiimaha "/static../.secret_key" iyo "/static../db.sqlite3".
Source: opennet.ru