Join Log in
Score:1
Greg avatar Server

Directory traversal fix for nginx config

in flag
Greg

I discovered that my website has this issue and I wasn't able to fix this. I tried several things like to checking if parent prefixed locations for Nginx alias directives end with a directory separator , but no luck so far. Merge_slashes on - is the default setting. I've read about AppArmour or SELinux. Is that the way to go? I have Ubuntu 18. In other words, I'm able to download this file http://example.com///etc/passwd and I want to avoid this. Any help is appreciate. Here is my config:

         server {
  listen 80;
  server_name
    .example.com;

 return 301 https://example.com$request_uri;
}

server {

server_name
  www.example.com;
    listen 443 ssl http2;
    ssl_prefer_server_ciphers On;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers '......
    ssl_certificate          /...crt;
    ssl_certificate_key      /..key;

    return 301 https://example.com$request_uri;
}
server {

server_name
  example.com;
    listen 443 ssl http2;
    ssl_prefer_server_ciphers On;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers '...
    ssl_certificate          /...crt;
    ssl_certificate_key      /.....key;

    add_header x-frame-options "SAMEORIGIN" always;
    add_header x-xss-protection "1; mode=block" always;
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; $

    root /var/www/www.example.com;
    index index.php;

  client_max_body_size 10M;
  access_log /var/log/nginx/example.com.log;
  error_log /var/log/nginx/example.com.error.log error;

location / {
    try_files $uri $uri/ /index.php;
}

location /shopping/ {
        index index.php index.html index.htm;
        rewrite ^/shop/wp-json/(.*?)$ /shopping/index.php?rest_route=/$1 last;
        try_files $uri $uri/ /shop/index.php?q=$uri&$args;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires 24h;
        log_not_found off;
}

    location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;

 }
location ~\.(log|save|htaccess|json|csv|txt|xls)$ {
     deny all;
     error_page 403 =404 / ;
 }
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
}
138
0 + 0
jp flag
AlexD
Your issue is in your PHP application not in `nginx`.
0
Reply
Greg avatar
in flag
Greg
Can you please elaborate? It will be much appreciated!
0
Reply
jp flag
AlexD
The request to `//etc/passwd` would match `location '/'` and unless you have a file `/var/www/www.example.com/etc/passwd` it would be handled by `index.php` through `fastcgi_pass`.
0
Reply
cn flag
shearn89
SELinux is designed to prevent exactly this on RHEL systems. I'm not as familiar with AppArmor. Effectively SELinux only allows a process to access things that match their context. It would mitigate this issue, but @AlexD is right - the issue is with the PHP app.
0
Reply
Greg avatar
in flag
Greg
For some mysterious reason, some directories were copied to the website root causing this /var/www/ www.example.com/etc/passwd My bad that I did not discovered this earlier!
0
Reply
djdomi avatar
za flag
djdomi
in case you solved your issue please add an answer and accept it later on, else we will be remembered until the of universe on it
0
Reply
Score:0
Greg avatar Server
in flag
Greg

There was nothing wrong with nginx config. Some dev guy created in a mysterious way a copy of /ect/passw into /var/www/www.example.com/etc/passwd So that why I could browse/download it and that why my PCI scanner was failing. Sorry for taking your time!

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.