How to remediate – Nginx Off-By-Slash

1. Introduction

The Nginx Off-By-Slash vulnerability occurs when an Nginx location directive is incorrectly configured without a trailing slash. This allows attackers to potentially access files outside of the intended web root directory, reading sensitive information. Systems running vulnerable versions of Nginx are affected. A successful exploit could lead to confidential data disclosure.

2. Technical Explanation

The vulnerability arises from how Nginx parses location directives. If a directive doesn’t end with a slash, an attacker can craft requests that traverse up the directory structure. This is because Nginx interprets the missing slash as allowing access to parent directories. The Common Weakness Enumeration (CWE) identifiers associated with this issue are CWE-16 and CWE-22.

• Root cause: Missing trailing slashes in Nginx location directives.
• Exploit mechanism: An attacker sends a request crafted to traverse directory levels using “..”. For example, if a location directive is configured as `/images`, an attacker could access `/images/../etc/nginx/nginx.conf`.
• Scope: All versions of Nginx are potentially affected by misconfigured location directives.

3. Detection and Assessment

You can check for vulnerable configurations by reviewing your Nginx configuration files. Thorough assessment involves testing with crafted requests.

• Quick checks: Use the command `nginx -t` to test the configuration syntax, but this won’t identify all Off-By-Slash issues.
• Scanning: Nessus and OpenVAS may have plugins that detect misconfigured Nginx directives. These are examples only, and results should be verified manually.
• Logs and evidence: Examine Nginx access logs for unusual requests containing directory traversal attempts (e.g., “../”). Look for 403 errors followed by successful file reads in unexpected locations.

nginx -t

4. Solution / Remediation Steps

Ensure all Nginx location directives end with a trailing slash to prevent directory traversal.

4.1 Preparation

• There are no dependencies for this fix. Changes should be reviewed by a senior administrator or security team member.

4.2 Implementation

1. Step 1: Open your Nginx configuration file (typically located in /etc/nginx/).
2. Step 2: Review each location directive for missing trailing slashes.
3. Step 3: Add a trailing slash to any directives that are missing it.
4. Step 4: Save the updated configuration file.
5. Step 5: Test the new configuration using `nginx -t`.
6. Step 6: Reload Nginx with `sudo systemctl reload nginx` or equivalent command for your system.

4.3 Config or Code Example

Before

location /images {
    root /var/www/images;
}

After

location /images/ {
    root /var/www/images;
}

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue.

• Practice 2: Secure defaults – Configure Nginx with the most secure settings possible, including proper directory permissions and access controls.

4.5 Automation (Optional)

No automation script is provided as configuration files vary widely. However, a simple `grep` command can help identify directives missing trailing slashes.

grep -r 'location /' /etc/nginx | grep -v '/$'

5. Verification / Validation

Confirm the fix by re-testing with crafted requests and verifying that access is denied to files outside of the intended web root directory.

• Re-test: Attempt to access a file outside of the web root using a crafted request (e.g., /images/../etc/nginx/nginx.conf). You should receive a 403 Forbidden error.
• Monitoring: Monitor Nginx access logs for any further directory traversal attempts, looking for patterns similar to those seen during testing.

nginx -t

6. Preventive Measures and Monitoring

Regular security reviews and automated checks can help prevent this issue.

• Baselines: Update your Nginx configuration baseline to include the requirement for trailing slashes in all location directives.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Incorrectly modified configuration files could prevent Nginx from starting. Mitigation: Restore the backed-up configuration file.
• Roll back:
  1. Step 1: Stop the Nginx service.
  2. Step 2: Restore the original, backed-up Nginx configuration file.
  3. Step 3: Test the restored configuration using `nginx -t`.
  4. Step 4: Reload Nginx with `sudo systemctl reload nginx` or equivalent command for your system.

8. References and Resources

• Vendor advisory or bulletin: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/nginx
• NVD or CVE entry: No specific CVE is listed for this general configuration issue.
• Product or platform documentation relevant to the fix: https://docs.nginx.com/nginx/admin-guide/web-server/location/