测试方法
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
1.Bug Title: nginx webdav copy/move method directory traversal
2.Program: nginx
3.Version: nginx/0.7.61 - other versions may also be affected
4.Website: http://sysoev.ru/nginx/
5.Severity: Low
6.Date discovered: 23 September 2009
7.
8.The webdav component has to be enabled and the user has to have
9.permission to use the COPY or MOVE methods.
10.
11.Description:
12.nginx ("Engine X", written by Igor Sysoev) has the ability to be used
13.as a webdav publishing server.
14.With webdav you can for example copy or move files from
15.one to a different location. The move and copy methods require a
16."Destination:" HTTP header.
17.The destination header contains information about where the file
18.should be placed.
19.By using characters like "../" the attacker can traverse down the
20.directory tree and place files
21.outside the webroot. This is an insecure behaviour of the nginx webdav
22.module and can be
23.especially dangerous when nginx is used in a virtual hosting
24.environment. nginx runs as the
25.user nobody per default so normally this bug is not a big deal since
26.an attacker may only
27.be allowed to write files to /tmp/ or nobody owned directories. The
28.severity is low because
29.this attack requires webdav "upload" permissions.
30.
31.Here is a sample request for the bug:
32.
33.COPY /index.html HTTP/1.1
34.Host: localhost35.Destination: http://localhost/../../../../../../../tmp/nginx.html
36.
37.Thanks for your time,
38.
39.Kingcope -
相关nginx 0.7.61 WebDAV directory traversal