Vigil@nce - Nginx: reading file via Naxsi
July 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the Naxsi module is installed on Nginx, an attacker can use
the script nx_extract.py of naxsi-ui, in order to read a file
located outside the web root.
Severity: 2/4
Creation date: 09/07/2012
IMPACTED PRODUCTS
– nginx
DESCRIPTION OF THE VULNERABILITY
The Naxsi module is a WAF (Web Application Firewall) for Nginx.
The naxsi-ui interface is used to access to auto-learning
features. The script nx_extract.py retrieves the generated white
lists.
The handle_request() method of nx_extract.py provides the document
requested in the url (/get_rules, /graphs, or the direct name of a
file). However, this function does not check if the direct name of
a file is located inside the root directory.
When the Naxsi module is installed on Nginx, an attacker can
therefore use the script nx_extract.py of naxsi-ui, in order to
read a file located outside the web root.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Nginx-reading-file-via-Naxsi-11748