Nginx Misconfig

[dk4trin]

Hello Team,

In the deploy files there is a bad configuration in the nginx alias where it is possible to perform a traversal path to access files on the server running the QA-Board. An attacker can use this to scour files on the server that could compromise QA-Board users/customers.

For the technique to be applicable, the following conditions must be met:

• The location directive should not have a trailing slash in its path;
• An aliasdirective must be present within the location context, and it must end with a slash.

From the procedures of the deploy steps I was able to carry out the proof of concept:

git clone https://github.com/Samsung/qaboard.git
cd qaboard

docker-compose pull
docker-compose up -d

Steps to Reproduce

1. curl "http://localhost:5151/docs../etc/passwd" | head -n 50

I apologize if this is of no use to you.

Best Regards,
dk4trin.

[arthur-flam]

Thanks a lot for the report! Indeed I can reproduce. I fixed it in our internal repo (by adding a /) and I hope I'll find time to update GitHub too.

There is no security impact is low as far as I can tell:

• the nginx container does not have any sensitive file (e.g. no real users in /etc/passwd), and
• by design users can access the shared storage that's mounted

Best regards,
Arthur