Some servers with nginx remain vulnerable to nginx alias traversal technology, which was proposed at the Blackhat conference back in 2018 and allows you to access files and catalogs posted outside the root catalog specified in the “Alias” directive. The problem is manifested only in configurations with the “Alias” directive, located inside the “Location” unit, the parameter of which does not end on the symbol “/”.
The essence of the problem is that the files for blocks with the ALIAS directive are given through attaching the requested path, after its comparison with the mask from the Location directive and cutting the part of the path specified in this mask. For the above example of a vulnerable configuration, in which the ALIAS directive parameter ends with the symbol “/”, the attacking can request a file “/img../test.txt” and this request will fall under the “/IMG” mask specified in the location, after which The remaining tail “../test.txt” will be attached to the path from the directive of Alias “/Var/Images/” and the file “/var/images/../test.txt” will eventually be requested. Thus, the attackers can access any files in the “/VAR” catalog, and not just to files in “/var/images/”, for example, to download the Nginx log, you can send a request “/img../log/nginx/Access.log”.
In configurations in which the value of the ALIAS directive does not end with the symbol “/”, the attacking cannot go to the parent catalog, but has the opportunity to request another catalog in /VAR, the beginning of the name which coincides with the configuration indicated. For