1

The PHP code has a handleRoute($path) function that is triggered for URLs like server.com/routeme/a. Handle route has the follwing: if file_exists($path) then include $path.

The $path argument is /srv/dirs/routeme/a.

A Google search leads to a million results where the file name is directly read from a parameter. When instead read from an URL, I can't just say server.com/routeme/a/../../, as nginx will reply with 400 Bad Request instead of executing the handleRoute function.

I have been attempting to find something that PHP will interpret as a Path outside of routeme/ while nginx does not and thus still lead to the execution of the include.

I was hoping %2E%2E%2F (encoded ../) would do it, but nginx still interprets this as a path.

I have a feeling that either I'm missing some obvious method to do this, or that it is a dead end and the code not vulnerable.

Zackline
  • 111
  • 2

2 Answers2

1

I don't think this is possible unless the HTTP Daemon itself is either in the root directory (e.g. in / rather than /var/www/html) OR if the HTTP Daemon itself is a superuser.

Unless I'm misreading your text and not properly grasping what you're trying to say here, I don't think this is a possibility without the httpd being in root dir.. I've came across instances where LFI/LFD has been possible simply by appending the path to the end of a URL, but like I said, only in instances wherein the HTTP Daemon itself is installed in the root directory, rather than the webroot.. If it's installed properly (e.g. in the webroot) then I think it will always be considered a URL Path as opposed to a path to a local system file?

MLT
  • 51
  • 4
0

If I understand you correctly, all you want to do is use a diffrent root for a subset of your vhost.

if so, this can be done by using a location block with a root element inside the nginx vhost. you can lookup the nginx recommended instructions for drupal or wordpress for more information on how to make that work with loading sript a (index.php in there case) while serving url "b" (like {domain}/api/path/target). aka the clean urls philosophy.

LvB
  • 8,217
  • 1
  • 26
  • 43