Path traversal via misconfigured NGINX alias
Description
NGINX is a widely-used web server that can also function as a reverse proxy, load balancer, mail proxy, and HTTP cache. The alias directive in NGINX replaces a specified location path with an alternative file system path. A path traversal vulnerability occurs when the location path does not end with a trailing slash (/) but the alias path does. This misconfiguration allows attackers to manipulate the URL to traverse outside the intended directory by inserting path traversal sequences (e.g., /../). For example, if location /i (without trailing slash) maps to alias /data/w3/images/ (with trailing slash), a request to /i../app/config.py resolves to /data/w3/app/config.py instead of being restricted to the images directory. This enables unauthorized access to files outside the designated folder.
Remediation
Audit all NGINX configuration files to identify alias directives and verify that location paths are properly configured. Ensure that when using the alias directive, both the location path and the alias path either both end with a trailing slash or both do not. The recommended secure pattern is to always include trailing slashes on both sides:
Vulnerable Configuration:
location /i {
alias /data/w3/images/;
}Secure Configuration:location /i/ {
alias /data/w3/images/;
}Additionally, consider using the root directive instead of alias when possible, as it is less prone to misconfiguration. Implement automated configuration scanning tools like Gixy to detect this and similar NGINX misconfigurations. After making changes, test the configuration with nginx -t and verify that path traversal attempts are properly blocked.