Nginx path traversal via misconfigured alias

membermatters / MemberMatters

An open source membership, access and payments portal for makerspaces and community groups.

https://membermatters.org

MIT License

48 stars 24 forks source link

Nginx path traversal via misconfigured alias #109

Closed snoopen closed 3 years ago

snoopen commented 3 years ago

nginx.conf has a misconfiguration that is exploitable. A location block with no trailing slash and an alias with a slash allows traversal back one level potentially exposing sensitive information.

location /static {
      alias /usr/src/app/memberportal/membermatters/static/;
      ...

For more information: Path traversal via misconfigured alias.

jabelone commented 3 years ago

Resolved in a recent PR