This application was vulnerable to source code disclosure/download vulnerability when
it was running in Windows OS (NTFS file system).
App parser couldn't handle ADS (Alternate Data Streams) and it treated a data stream as an
usual file. An Attacker could read/download source code of webapps files using default data
stream (unnamed): "filename::$data".
This issue is like an old security issue in Microsoft Windows IIS [ref-2].
======PROOF OF CONCEPT======
http://[IP]/[FILE]::$data
======STEPS TO REPRODUCE======
1.- Start the server.
2.- Go to http://127.0.0.1/index.html::$data
3.- Browser requests to download...yes...go to file and open it.
Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)
[2010-06-04] => Inicial contact with vendor and sent advisory.
[2010-06-04] => Vendor response and believe that vulnerability got fixed with previous release.
[2010-06-04] => I confirm that nginx is vulnerable in Windows 7 OS.
[2010-06-04] => Vendor will try to see the issue.
[2010-06-04] => Vendor confirms the issue and he will get fixed on Monday.
[2010-06-07] => New releases out.
[2010-06-07] => I sent complete advisory and propose as disclosure date on Wednesday.
[2010-06-10] => Second chance to confirm public disclosure.
[2010-06-10] => Vendor is agree.
[2010-06-11] => Forced to public disclosure.
======CREDITS=======
Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/
Thanks to Ruben Santamarta (@reversemode) and Jose María Alonso (@maligno) for their support in other issues.
QQ群⑧:
窥视卡
雷达卡
发表于 2016-12-25 12:57:22
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡