nginx merge slashes path traversal
Well Hello,
This is my first Write-up about path traversal that I find in the DoD I hope you enjoy it while you read it.
Description:
A vulnerability in the remote Nginx server could cause the server to merge /slash slash/ together causing what should have protected the website from a directory traversal vulnerability into a vulnerable server.
first of all, this issue can’t be Reproduce via the browser so you need to use another way by using a burp suite:
GET ///////../../../etc/passwd
Host: redacted.com
How did we determine that merge_slashes is ‘off’:
Within the NGINX documentation, we are able to see that the merge_slashes default value is “On”. Therefore two or more ‘/’ characters will be normalized into one ‘/’ character.
http://NGINX.org/en/docs/http/ngx_http_core_module.html#merge_slashes
Enables or disables compression of two or more adjacent slashes in a URI into a single slash.
Syntax: merge_slashes on | off;
Default: merge_slashes on;
Context: http, server
When the merge_slashes configuration is turned on, using multiple slashes ‘///’ did not allow us to exploit that vulnerability successfully.