Skip to content

Path Traversal via Misconfigured Alias

Gixy Check ID: alias_traversal

The alias directive is used to replace path of the specified location. For example, with the following configuration: 

location /i/ {
    alias /data/w3/images/;
}
On request of /i/top.gif, the file /data/w3/images/top.gif will be sent.

But if the location doesn't end with directory separator (i.e. /):

location /i {
    alias /data/w3/images/;
}
On request of /i../app/config.py, the file /data/w3/app/config.py will be sent.

In other words, the incorrect configuration of alias could allow an attacker to read file stored outside the target folder.

What can I do?

It's pretty simple: - you must find all the alias directives; - make sure that the parent prefixed location ends with directory separator. - or if you want to map a single file make sure the location starts with a =, e.g. =/i.gif instead of /i.gif.

Harden NGINX with maintained RPMs

Use NGINX Extras by GetPageSpeed for continuously updated NGINX and modules on RHEL/CentOS/Alma/Rocky. Learn more.