Found Nginx configuration vulnerability

[joglomedia]

Describe the Issue / Bug

$ gixy etc/nginx/vhost/site_wordpress-ms.conf 

==================== Results ===================

>> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" or "\r" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$uri" can contain "\n"
Pseudo config:

if (!-e $request_filename) {
	rewrite /wp-admin$ $scheme://$host$uri/ permanent;
}

------------------------------------------------

>> Problem: [alias_traversal] Path traversal via misconfigured alias.
Description: Using alias in a prefixed location that doesn't ends with directory separator could lead to path traversal vulnerability. 
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
Pseudo config:

location ^~ /blogs.dir {
	alias $root_path/wp-content/blogs.dir;
}

==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 1
    High: 1

$ gixy etc/nginx/vhost/site_wordpress-bwps.conf 

==================== Results ===================

>> Problem: [origins] Validation regex for "origin" or "referrer" matches untrusted domain.
Description: Improve the regular expression to match only trusted referrers.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md
Reason: Regex matches "http://evil.com/wp-admin.evil.com" as a valid referrer.
Pseudo config:

if ($http_referer !~* wp-admin) {
}

------------------------------------------------

>> Problem: [origins] Validation regex for "origin" or "referrer" matches untrusted domain.
Description: Improve the regular expression to match only trusted referrers.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md
Reason: Regex matches "http://evil.com/wp-login/php.evil.com" as a valid referrer.
Pseudo config:

if ($http_referer !~* wp-login.php) {
}

------------------------------------------------

>> Problem: [origins] Validation regex for "origin" or "referrer" matches untrusted domain.
Description: Improve the regular expression to match only trusted referrers.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md
Reason: Regex matches "http://evil.com/login.evil.com" as a valid referrer.
Pseudo config:

if ($http_referer !~* login) {
}

------------------------------------------------

>> Problem: [origins] Validation regex for "origin" or "referrer" matches untrusted domain.
Description: Improve the regular expression to match only trusted referrers.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md
Reason: Regex matches "http://evil.com/dashboard.evil.com" as a valid referrer.
Pseudo config:

if ($http_referer !~* dashboard) {
}

------------------------------------------------

>> Problem: [origins] Validation regex for "origin" or "referrer" matches untrusted domain.
Description: Improve the regular expression to match only trusted referrers.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md
Reason: Regex matches "http://evil.com/register.evil.com" as a valid referrer.
Pseudo config:

if ($http_referer !~* register) {
}

==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 0
    High: 0

To Reproduce
Steps to reproduce the behavior:

Expected Behavior
A clear and concise description of what you expected to happen.

Screenshots / Screen Cast
If applicable, add screenshots / screen cast to help explain your problem.

Config File (.env)
If applicable, add part of your non-sensitive data from configuration file (.env).

System Information (please complete the following information):

• OS: [e.g. Linux Mint 19.3 Tricia x86_64 ]
• Shell: [e.g. bash 4.4.20]
• Version [e.g. 2.0.0]

Additional Context
Add any other context about the problem here.