本文共 2632 字，大约阅读时间需要 8 分钟。

http://www.example.com/index.html::$DATA

http://www.example.com/%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%20http://www.example.com/%c0.%c0./%c0.%c0./%c0.%c0./%20

 

======TESTED VERSIONS=====

Unix versions are not vulnerable (it only affects to NTFS file system) Windows Stable versions: nginx/0.7.66 --> Not vulnerablenginx/0.7.65 --> Vulnerablenginx/0.7.64 --> Vulnerablenginx/0.7.63 --> Vulnerablenginx/0.7.62 --> Vulnerablenginx/0.7.61 --> Vulnerablenginx/0.7.60 --> Vulnerablenginx/0.7.59 --> Vulnerablenginx/0.7.58 --> Vulnerablenginx/0.7.56 --> Vulnerable Windows Development versions: nginx/0.8.40 --> Not vulnerablenginx/0.8.39 --> Vulnerablenginx/0.8.38 --> Vulnerablenginx/0.8.37 --> Vulnerablenginx/0.8.36 --> Vulnerablenginx/0.8.35 --> Vulnerablenginx/0.8.34 --> Vulnerablenginx/0.8.33 --> Vulnerablenginx/0.8.32 --> Vulnerablenginx/0.8.31 --> Vulnerablenginx/0.8.30 --> Vulnerable ======DESCRIPTION====== This application was vulnerable to source code disclosure/download vulnerability whenit was running in Windows OS (NTFS file system).App parser couldn't handle ADS (Alternate Data Streams) and it treated a data stream as anusual file. An Attacker could read/download source code of webapps files using default datastream (unnamed): "filename::$data". This issue is like an old security issue in Microsoft Windows IIS [ref-2]. ======PROOF OF CONCEPT====== http://[IP]/[FILE]::$data ======STEPS TO REPRODUCE====== 1.- Start the server. 2.- Go to http://127.0.0.1/index.html::$data 3.- Browser requests to download...yes...go to file and open it. ======REFERENCES====== [ref-1] -> http://nginx.org/[ref-2] -> http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx ======DISCLOSURE TIMELINE====== Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid) [2010-06-04] => Inicial contact with vendor and sent advisory.[2010-06-04] => Vendor response and believe that vulnerability got fixed with previous release.[2010-06-04] => I confirm that nginx is vulnerable in Windows 7 OS.[2010-06-04] => Vendor will try to see the issue.[2010-06-04] => Vendor confirms the issue and he will get fixed on Monday.[2010-06-07] => New releases out.[2010-06-07] => I sent complete advisory and propose as disclosure date on Wednesday.[2010-06-10] => Second chance to confirm public disclosure.[2010-06-10] => Vendor is agree.[2010-06-11] => Forced to public disclosure. ======CREDITS======= Jose Antonio Vazquez Gonzalez,Telecom. Engineer & Sec. Researcher.http://spa-s3c.blogspot.com/ Thanks to Ruben Santamarta (@reversemode) and Jose María Alonso (@maligno) for their support in other issues.

转载地址：http://ioqmb.baihongyu.com/