nginx merge slashes path traversal

Well Hello,

This is my first Write-up about path traversal that I find in the DoD I hope you enjoy it while you read it.

Description:

A vulnerability in the remote Nginx server could cause the server to merge /slash slash/ together causing what should have protected the website from a directory traversal vulnerability into a vulnerable server.

first of all, this issue can’t be Reproduce via the browser so you need to use another way by using a burp suite:

GET ///////../../../etc/passwd

Host: redacted.com

In order to exploit the traversal vulnerability in this app, you can request a file from a directory one level up by using the ‘///////../../../’ notation. Here we request the etc/passwd file directly from the server.

How did we determine that merge_slashes is ‘off’:

Within the NGINX documentation, we are able to see that the merge_slashes default value is “On”. Therefore two or more ‘/’ characters will be normalized into one ‘/’ character.

http://NGINX.org/en/docs/http/ngx_http_core_module.html#merge_slashes

Enables or disables compression of two or more adjacent slashes in a URI into a single slash.

Syntax: merge_slashes on | off;
Default: merge_slashes on;
Context: http, server

When the merge_slashes configuration is turned on, using multiple slashes ‘///’ did not allow us to exploit that vulnerability successfully.