Amanye amaseva ane-nginx ahlala esengozini yendlela ye-Nginx Alias ββββTraversal, eyahlongozwa engqungqutheleni ye-Blackhat emuva ngo-2018 futhi ivumela ukufinyelela kumafayela nezinkomba ezitholakala ngaphandle komkhombandlela wezimpande oshiwo kumyalelo othi "alias". Inkinga ibonakala kuphela ekucushweni okunomyalelo othi "alias" obekwe ngaphakathi kwebhulokhi "yendawo", ipharamitha yakhona engagcini ngohlamvu "/", kuyilapho "isibizo" iphetha ngokuthi "/".
Umnyombo wenkinga ukuthi amafayela wamabhulokhi anomyalelo we-alias anikezwa ngokunamathisela indlela eceliwe, ngemuva kokuyifanisa ne-mask evela kumyalelo wendawo nokusika ingxenye yendlela echazwe kule mask. Isibonelo sokucushwa okusengozini okuboniswe ngenhla, umhlaseli angacela ifayela elithi "/img../test.txt" futhi lesi sicelo sizofana nemaski ecaciswe endaweni "/img", ngemva kwalokho umsila osele "../ test.txt" izonanyathiselwa endleleni esuka kusibizo esithi "/var/images/" futhi ngenxa yalokho ifayela elithi "/var/images/../test.txt" lizocelwa. Ngakho-ke, abahlaseli bangakwazi ukufinyelela noma yimaphi amafayela kuhla lwemibhalo "/var", hhayi nje amafayela ku-"/var/images/", ngokwesibonelo, ukulanda ilogi ye-nginx, ungathumela isicelo "/img../log// nginx/ access.log".
Ezilungiselelweni lapho inani lesibizo somyalelo lingagcini ngohlamvu "/" (ngokwesibonelo, "isibizo/var/izithombe;"), umhlaseli akakwazi ukushintshela kuhla lwemibhalo elingumzali, kodwa angacela olunye uhla lwemibhalo ku/var. ogama lakhe liqala ngokushiwo ekucushweni. Isibonelo, ngokucela okuthi "/img.old/test.txt" ungafinyelela uhla lwemibhalo oluthi "var/images.old/test.txt".
Ukuhlaziywa kwamakhosombe ku-GitHub kubonise ukuthi amaphutha ekucushweni kwe-nginx aholela enkingeni asatholakala kumaphrojekthi wangempela. Isibonelo, ukuba khona kwenkinga kutholwe ngemuva komphathi wephasiwedi we-Bitwarden futhi ingase isetshenziselwe ukufinyelela wonke amafayela kuhla lwemibhalo /etc/bitwarden (izicelo zoku/okunamathiselwe zikhishwe ku-/etc/bitwarden/attachments/), kuhlanganise nesizindalwazi esigcinwe lapho namagama ayimfihlo βvault. dbβ, isitifiketi namalogi, okwanele ukuthumela izicelo zakho "/attachments../vault.db", "/attachments../identity.pfx", "/attachments ../logs/api.log", njll. .P.
Indlela iphinde yasebenza ne-Google HPC Toolkit, lapho izicelo/ezimile ziqondiswe kabusha kuhla lwemibhalo "../hpc-toolkit/community/front-end/website/static/". Ukuze uthole isizindalwazi esinokhiye oyimfihlo nemininingwane, umhlaseli angathumela imibuzo "/static../.secret_key" kanye "/static../db.sqlite3".
Source: opennet.ru