Nginx Misconfig
dk4trin opened this issue · 1 comments
Hello Team,
In the deploy files there is a bad configuration in the nginx alias where it is possible to perform a traversal path to access files on the server running the QA-Board. An attacker can use this to scour files on the server that could compromise QA-Board users/customers.
For the technique to be applicable, the following conditions must be met:
- The location directive should not have a trailing slash in its path;
- An aliasdirective must be present within the location context, and it must end with a slash.
From the procedures of the deploy steps I was able to carry out the proof of concept:
git clone https://github.com/Samsung/qaboard.git
cd qaboard
docker-compose pull
docker-compose up -d
Steps to Reproduce
- curl "http://localhost:5151/docs../etc/passwd" | head -n 50
I apologize if this is of no use to you.
Best Regards,
dk4trin.
Thanks a lot for the report! Indeed I can reproduce. I fixed it in our internal repo (by adding a /
) and I hope I'll find time to update GitHub too.
There is no security impact is low as far as I can tell:
- the nginx container does not have any sensitive file (e.g. no real users in /etc/passwd), and
- by design users can access the shared storage that's mounted
Best regards,
Arthur