¿µ¡Ç½¤Ê¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤È¤·¤Æ2004ǯ¤ËÅо줷¤¿Nginx¤Ï¡¢2023ǯ6·î»þÅÀ¤Ç¤Ï¶È³¦¥È¥Ã¥×¥·¥§¥¢¤È¤Ê¤ë¤Û¤É¿Íµ¤¤ò½¸¤á¤ë¥µ¡¼¥Ð¡¼¤Ç¤¹¡£¤½¤ó¤ÊNginx¤ÎÀßÄê¤Ë¤ª¤¤¤Æ¡¢¥¹¥é¥Ã¥·¥å¤ò°ì¤ÄÉÕ¤±¤ë¤«ÉÕ¤±¤Ê¤¤¤«¤Îº¹¤ÇÂ礭¤Ê¥»¥­¥å¥ê¥Æ¥£¥Û¡¼¥ë¤¬¤Ç¤­¤Æ¤·¤Þ¤¦ÌäÂê¤Ë¤Ä¤¤¤Æ¡¢Âç¼ê¥Ñ¥¹¥ï¡¼¥É¥Þ¥Í¡¼¥¸¥ã¡¼¤äGoogleÀ½¤Î¥Ä¡¼¥ë¤ÎÎã¤ò¤È¤ê¤¢¤²¤Æ¥»¥­¥å¥ê¥Æ¥£¥¢¥Ê¥ê¥¹¥È¤Î¥À¥Ë¥¨¥ë¡¦¥Þ¥Ä¥â¥È¤µ¤ó¤¬¥Ö¥í¥°¤Ç²òÀ⤷¤Æ¤¤¤Þ¤¹¡£

Hunting for Nginx Alias Traversals in the wild

https://labs.hakaioffsec.com/nginx-alias-traversal/

Nginx¤ÎÀßÄê¤Ë¤Ï¡¢ÆÃÄê¤ÎURL¤Ø¤Î¥¢¥¯¥»¥¹¤ò¤É¤¦½èÍý¤¹¤ë¤Ù¤­¤«¤òµ­½Ò¤Ç¤­¤ë¡Ölocation¡×¤È¤¤¤¦¥Ç¥£¥ì¥¯¥Æ¥£¥Ö¤¬Â¸ºß¤·¤Æ¤ª¤ê¡¢URL¤ò¥µ¡¼¥Ð¡¼Æâ¤Î¥Õ¥¡¥¤¥ë¤ËÂбþ¤µ¤»¤ë¤Î¤Ë¤è¤¯ÍøÍѤµ¤ì¤Æ¤¤¤Þ¤¹¡£Î㤨¤Ð²¼µ­¤Î¤è¤¦¤Ëµ­½Ò¤¹¤ë¤È¡¢¥µ¡¼¥Ð¡¼¤Î¡Ö/opt/production/assets/¡×¤ÎÃæ¿È¤Ë¡Ö/assets/¡×°Ê²¼¤ÎURL¤«¤é¥¢¥¯¥»¥¹¤Ç¤­¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£

location /assets/ { # URL¤Î¡Ö/assets/¡×¤ËÂФ¹¤ë¥¢¥¯¥»¥¹¤Î½èÍý¤òÄêµÁ
alias /opt/production/assets/; # ¥µ¡¼¥Ð¡¼¤Î¡Öassets¡×¤ØžÁ÷
}

¤³¤Îlocation¤òalias¤ÈÁȤ߹ç¤ï¤»¤Æ»ÈÍѤ¹¤ë¥Ñ¥¿¡¼¥ó¤Ë¤ª¤¤¤Æ¡¢¡Ölocation¤Ç»ØÄꤷ¤¿URL¤ÎËöÈø¤Ë¥¹¥é¥Ã¥·¥å¤òÆþ¤ì¤Ê¤¤¡×¤«¤Ä¡Öalias¤Ç»ØÄꤷ¤¿¥Ñ¥¹¤ÎËöÈø¤Ë¥¹¥é¥Ã¥·¥å¤òÆþ¤ì¤ë¡×¤È¤¤¤¦2¤Ä¤Î¾ò·ï¤¬¤½¤í¤Ã¤¿¤È¤­¤Ë½ÅÂç¤ÊÀȼå(¤¼¤¤¤¸¤ã¤¯)À­¤¬È¯À¸¤·¤Æ¤·¤Þ¤¦¤È¤Î¤³¤È¡£



location¤ÎURLËöÈø¤Ë¥¹¥é¥Ã¥·¥å¤¬¤Ê¤¤¾ì¹ç¡¢nginx¤Ï¡Ö/img¡×¤Ç»Ï¤Þ¤ëURL¤òÁ´¤Æ¡Ö/var/images/¡×¤ØžÁ÷¤·¤Æ¤·¤Þ¤¤¤Þ¤¹¡£Î㤨¤Ð¡Ö/img/profile.jpg¡×¤Ë¥¢¥¯¥»¥¹¤·¤¿¾ì¹ç¡¢¡Ö/var/images//profile.jpg¡×¤ËžÁ÷¤µ¤ì¤ë¤ï¤±¤Ç¤¹¤¬¡¢¥Ñ¥¹¤ÎÃæ¤ÎϢ³¥¹¥é¥Ã¥·¥å¤Ï̵»ë¤µ¤ì¤Æ¡Ö/var/images/profile.jpg¡×¤Î¥Ç¡¼¥¿¤¬ÊÖ¤ê¤Þ¤¹¡£°ìÊý¡¢¡Ö/imgprofile.jpg¡×¤Ë¥¢¥¯¥»¥¹¤·¤¿¾ì¹ç¤Ï¡Ö/var/images/profile.jpg¡×¤ËžÁ÷¤µ¤ì¡Ä¡Ä¤È¤¤¤¦¤è¤¦¤Ë¡¢2¤Ä¤ÎURL¤ÇƱ¤¸¥Ç¡¼¥¿¤Ë¥¢¥¯¥»¥¹¤Ç¤­¤ë¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£



¤µ¤é¤Ë¡¢¡Ö/img..¡×¤È¤¤¤¦URL¤Ë¥¢¥¯¥»¥¹¤¹¤ë¤³¤È¤Ç¡¢¡Ö/var/images/..¡×¤È¤¤¤¦¥Ñ¥¹¤Ç»ØÄꤵ¤ì¤ë¥Ç¡¼¥¿¤Ë¥¢¥¯¥»¥¹²Äǽ¤Ç¤¹¡£¥Ñ¥¹¤Ë¤ª¤¤¤Æ¡Ö/..¡×¤È¤¤¤¦¤Î¤Ï¿Æ¤Î¥Ç¥£¥ì¥¯¥È¥ê¤ò»Ø¤¹¤¿¤á¡¢¡Ö/var/images/..¡×¤Ï¡Ö/var/¡×¤ÈƱ¤¸¤â¤Î¤Ç¤¢¤ê¡¢ËÜÍè¸ø³«¤µ¤ì¤Æ¤¤¤Ê¤¤¤Ï¤º¤Î¥Ç¥£¥ì¥¯¥È¥ê¤Þ¤Ç¤µ¤«¤Î¤Ü¤Ã¤Æ±ÜÍ÷¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£Î㤨¤Ð¡Ö/img../log/nginx/access.log¡×¤È¤¤¤¦URL¤Ë¥¢¥¯¥»¥¹¤¹¤ë¤È¡¢¡Ö/var/log/nginx/access.log¡×¤Î¥Ç¡¼¥¿¤¬±ÜÍ÷¤Ç¤­¤Æ¤·¤Þ¤¤¤Þ¤¹¡£¸Ä¿Í¾ðÊó¤Ê¤É¡¢µ¡Ì©¤ò¼é¤ëɬÍפ¬¤¢¤ë¥Ç¡¼¥¿¤ò°·¤Ã¤Æ¤¤¤ëºÝ¤Ë¤ÏÆäËÃí°Õ¤¬É¬ÍפǤ¹¡£



alias¤Î¥Ñ¥¹¤Î»ØÄê¤Ë¤ª¤¤¤ÆËöÈø¤Î¥¹¥é¥Ã¥·¥å¤¬¤Ê¤¤¾ì¹ç¤Ç¤Ï¡¢URL¤Î¡Ö/img..¡×¤Ë¥¢¥¯¥»¥¹¤·¤Æ¤â¡Ö/var/images..¡×¤È¤¤¤¦Ì¾Á°¤Î¥Ç¥£¥ì¥¯¥È¥ê¤òõ¤¹¤À¤±¤Ê¤Î¤Ç¿Æ¥Ç¥£¥ì¥¯¥È¥ê¤Î¥Ç¡¼¥¿¤Ë¥¢¥¯¥»¥¹¤µ¤ì¤ë¤³¤È¤Ï¤¢¤ê¤Þ¤»¤ó¡£¤·¤«¤·¡¢µ¡Ì©¥Ç¡¼¥¿¤¬¡Ö/var/images_confidential¡×¤Î¤è¤¦¤Ê¥Ç¥£¥ì¥¯¥È¥ê¤ËÊݸ¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ï¡Ö/img_confidential¡×¤È¤¤¤¦URL¤Ç¥¢¥¯¥»¥¹¤µ¤ì¤Æ¤·¤Þ¤¤¤Þ¤¹¡£·ë¶É¤Î¤È¤³¤í¡¢location¤Èalias¤ÎξÊý¤Ë¤ª¤¤¤ÆËöÈø¤Ë¥¹¥é¥Ã¥·¥å¤ò´Þ¤á¤ë¤Ù¤­¤È¤¤¤¦¤ï¤±¤Ç¤¹¡£



¥Þ¥Ä¥â¥È¤µ¤ó¤Ï¤³¤ÎÌäÂê¤ò´Þ¤ó¤À¥³¡¼¥É¤¬¤É¤ì¤¯¤é¤¤¤¢¤ë¤Î¤«¤òÄ´ºº¤¹¤ë¤¿¤á¡¢²¼µ­¤ÎÀµµ¬É½¸½¤òÍѤ¤¤ÆGitHub¤ò¸¡º÷¤·¤Æ¤ß¤¿¤½¤¦¤Ç¤¹¡£¤³¤ÎÀµµ¬É½¸½¤Ç¤Ï¡¢location¤Î¥Ñ¥¹¤ÎËöÈø¤Ë¥¹¥é¥Ã¥·¥å¤¬¤Ê¤¯¡¢alias¤Î¥Ñ¥¹¤ÎËöÈø¤Ë¥¹¥é¥Ã¥·¥å¤¬ÉÕ¤¤¤Æ¤¤¤ë¥³¡¼¥É¤ò¸¡º÷²Äǽ¤Ç¤¹¡£

/location \/[_.a-zA-Z0-9-\/]*[^\/][\s]\{[\s
]*alias \/[_.a-zA-Z0-9-\/]*\/;/

GitHub¤Ç¤Ï1900·ï¤Î¥Õ¥¡¥¤¥ë¤¬¸¡º÷¤Ë°ú¤Ã¤«¤«¤Ã¤¿¤È¤Î¤³¤È¡£¥³¡¼¥É¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¥³¥á¥ó¥È¤¬¸¡º÷¤µ¤ì¤¿¾ì¹ç¤Ê¤É¡¢É¬¤º¤·¤âÁ´¤Æ¤Î¥³¡¼¥É¤ËÌäÂ꤬¤¢¤ë¤È¤Ï¸À¤¨¤Þ¤»¤ó¤¬¡¢¤½¤ì¤Ç¤â¿¤¯¤Î¥×¥í¥¸¥§¥¯¥È¤ËÀȼåÀ­¤¬È¯À¸¤·¤Æ¤¤¤ë¤Î¤Ï´Ö°ã¤¤¤¢¤ê¤Þ¤»¤ó¡£



¤³¤ÎÀȼåÀ­¤ò¼ÂºÝ¤ËȯÀ¸¤µ¤»¤Æ¤·¤Þ¤Ã¤¿Îã¤È¤·¤Æ¡¢¥Þ¥Ä¥â¥È¤µ¤ó¤Ï¥ª¡¼¥×¥ó¥½¡¼¥¹¤Î¥Ñ¥¹¥ï¡¼¥É¥Þ¥Í¡¼¥¸¥ã¡¼¡ÖBitwarden¡×¤ò¤È¤ê¤¢¤²¤Æ¤¤¤Þ¤¹¡£Bitwarden¤Ï¥Ñ¥¹¥ï¡¼¥É¤ÎÀ¸À®¡¦ÆþÎÏ¡¦¥Ç¥Ð¥¤¥¹´Ö¤ÎƱ´ü¤Ê¤É¤Îµ¡Ç½¤ò»ý¤Ä¥Ñ¥¹¥ï¡¼¥É¥Þ¥Í¡¼¥¸¥ã¡¼¤Ç¡¢Windows¤ämacOS¡¢Linux¡¢Android¡¢iOS¤È¤¤¤Ã¤¿Â¿¿ô¤Î¥×¥é¥Ã¥È¥Õ¥©¡¼¥à¸þ¤±¤Î¥¢¥×¥ê¤Ë²Ã¤¨¤Æ¥Ö¥é¥¦¥¶¤Î³ÈÄ¥µ¡Ç½¤âÍÑ°Õ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£²áµî¤ËGIGAZINE¤Ç¤â¥ì¥Ó¥å¡¼ºÑ¤ß¡£

̵ÎÁ¤Ç»È¤¨¤Æ¥Ç¥Ð¥¤¥¹´Ö¤Ç¤Î¼«Æ°Æ±´ü¤Ë¤âÂбþ¤·¤Æ¤¤¤ë¥Ñ¥¹¥ï¡¼¥É¥Þ¥Í¡¼¥¸¥ã¡¼¡Öbitwarden¡×¤ò»È¤Ã¤Æ¤ß¤¿ - GIGAZINE



Bitwarden¤Ï¡¢Æȼ«¤Î¥µ¡¼¥Ð¡¼¤òÍøÍѤ·¤¿¤¤¿Í¸þ¤±¤Ë¥»¥ë¥Õ¥Û¥¹¥È¤¹¤ëÊýË¡¤òÄ󶡤·¤Æ¤ª¤ê¡¢¤½¤Î¥»¥ë¥Õ¥Û¥¹¥È¤ÎÊýË¡¤Î°ì¤Ä¤È¤·¤ÆDocker¥¤¥á¡¼¥¸¤¬ÍÑ°Õ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£µ­»öºîÀ®»þÅÀ¤Ç10Ëü¥À¥¦¥ó¥í¡¼¥É¤òµ­Ï¿¤·¤Æ¤ª¤ê¡¢¤«¤Ê¤ê¿¤¯¤Î¥æ¡¼¥¶¡¼¤ËÍøÍѤµ¤ì¤Æ¤¤¤ë¤³¤È¤¬¤¦¤«¤¬¤¨¤Þ¤¹¡£



Bitwarden¤ÎDocker¥¤¥á¡¼¥¸¤ÎÆâÉô¤Î¥³¡¼¥É¤Ë¡¢²¼µ­¤Î¥³¡¼¥É¤¬´Þ¤Þ¤ì¤Æ¤¤¤ë¤Î¤ò¥Þ¥Ä¥â¥È¤µ¤ó¤Ïȯ¸«¤·¤¿¤È¤Î¤³¤È¡£location¤Î¥Ñ¥¹¤¬¡Ö/attachments¡×¤È¤Ê¤Ã¤Æ¤ª¤êËöÈø¤Ë¥¹¥é¥Ã¥·¥å¤¬¤Ê¤¯¡¢°ìÊýalias¤ÎÊý¤ÏËöÈø¤Î¥¹¥é¥Ã¥·¥å¤¬ÉÕ¤¤¤Æ¤¤¤Þ¤¹¡£¤³¤Î¾õÂ֤ǤÏ/etc/bitwarden/°Ê²¼¤Î¥Õ¥¡¥¤¥ëÁ´¤Æ¤¬¥¢¥¯¥»¥¹²Äǽ¤Ë¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£



¤È¤Ï¤¤¤¨¡¢/etc/bitwarden/°Ê²¼¤Ë½ÅÍפʥǡ¼¥¿¤¬²¿¤âÊݸ¤µ¤ì¤Æ¤¤¤Ê¤¤¤Î¤Ç¤¢¤ì¤Ð¿¼¹ï¤ÊÌäÂê¤Ë¤Ï»ê¤ê¤Þ¤»¤ó¡£¤È¤¤¤¦¤³¤È¤Ç¡¢¥Þ¥Ä¥â¥È¤µ¤ó¤Ï¤É¤ó¤Ê¥Ç¡¼¥¿¤¬Êݸ¤µ¤ì¤Æ¤¤¤ë¤Î¤«¤òÄ´¤Ù¤Æ¤ß¤¿¤È¤Î¤³¤È¡£¤¹¤ë¤ÈDockerfile¤Ë²¼µ­¤Î¥³¡¼¥É¤¬µ­½Ò¤µ¤ì¤Æ¤¤¤ë¤Î¤¬¸«¤Ä¤«¤ê¤Þ¤·¤¿¡£

ENV BW_DB_FILE="/etc/bitwarden/vault.db"

¥æ¡¼¥¶¡¼¤¬¥Ç¡¼¥¿¥Ù¡¼¥¹¤È¤·¤ÆSQLite¤òÍøÍѤ¹¤ë¾ì¹ç¡¢Bitwarden¤Ï¡Ö/etc/bitwarden/vault.db¡×¤Ë¥Ç¡¼¥¿¥Ù¡¼¥¹¤òÊݸ¤·¤Þ¤¹¡£¤·¤¿¤¬¤Ã¤Æ¡¢¡Öhttp://<instance>/attachments../vault.db¡×¤Ë¥¢¥¯¥»¥¹¤¹¤ë¤³¤È¤Ç¥æ¡¼¥¶¡¼¤Î¥Ç¡¼¥¿¥Ù¡¼¥¹¤ò¤Þ¤ë¤´¤È¥À¥¦¥ó¥í¡¼¥É¤Ç¤­¤Æ¤·¤Þ¤¦¤³¤È¤Ë¡£¤Þ¤¿¡¢Â¿¿ô¤Î¥í¥°¥Õ¥¡¥¤¥ë¤ä¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë¤â¥À¥¦¥ó¥í¡¼¥É¤Ç¤­¤Æ¤·¤Þ¤Ã¤¿¤È¤Î¤³¤È¡£



Bitwarden¤Ï¤³¤Î¥Ð¥°Êó¹ð¤ËÂФ·¤Æ¡¢Æ±¼Ò¤ÎÃæ¤Ç¤ÏºÇ¹â³Û¤È¤Ê¤ë6000¥É¥ë(Ìó85Ëü±ß)¤òÊ󾩶â¤È¤·¤Æ»Ùʧ¤¤¤Þ¤·¤¿¡£

¤Þ¤¿¡¢¥Þ¥Ä¥â¥È¤µ¤ó¤¬GitHub¾å¤Î¥³¡¼¥É¤òÄ´¤Ù¤Æ¤¤¤¿¤È¤³¤í¡¢¡ÖGoogle HPC-Toolkit¡×¤È¤¤¤¦¥ê¥Ý¥¸¥È¥ê¤ËƱÍͤÎÀȼåÀ­¤¬´Þ¤Þ¤ì¤Æ¤¤¤ë¤Î¤òȯ¸«¤·¤¿¤È¤Î¤³¤È¡£¤³¤Î¥ê¥Ý¥¸¥È¥ê¤Ç¤Ï¡¢Google Cloud¤Î¥Ï¥¤ ¥Ñ¥Õ¥©¡¼¥Þ¥ó¥¹ ¥³¥ó¥Ô¥å¡¼¥Æ¥£¥ó¥°¤Ø¤Î¥Ç¥×¥í¥¤¤òÍưפˤ¹¤ë¥Ä¡¼¥ë¤¬Ä󶡤µ¤ì¤Æ¤¤¤Þ¤¹¡£

ÌäÂê¤È¤Ê¤Ã¤¿¤Î¤Ï²¼¿Þ¤ÎÉôʬ¡£¤³¤³¤Ç¤âlocation¤Î¥Ñ¥¹ËöÈø¤Ë¥¹¥é¥Ã¥·¥å¤¬¤Ê¤¯¡¢alias¤Î¥Ñ¥¹ËöÈø¤Ë¥¹¥é¥Ã¥·¥å¤¬´Þ¤Þ¤ì¤Æ¤¤¤Þ¤¹¡£



¤³¤ÎÀȼåÀ­¤òÄ̤·¤Æ¡¢SQLite¥Ç¡¼¥¿¥Ù¡¼¥¹Á´ÂΤäDjango¤ÎÈëÌ©¸°¤òÅð¤ß¼è¤ë¤³¤È¤¬²Äǽ¤Ç¡¢SQLite¥Ç¡¼¥¿¥Ù¡¼¥¹¤ËÊݸ¤µ¤ì¤Æ¤¤¤ëGoogle Cloud¤Îǧ¾Ú¾ðÊó¤Ë¥¢¥¯¥»¥¹¤µ¤ì¤ë´í¸±¤¬¤¢¤ë¤È¤Î¤³¤È¡£Google¤Ï¤³¤Î¥Ð¥°Êó¹ð¤ËÂФ·¤Æ500¥É¥ë(Ìó7Ëü±ß)¤ÎÊ󾩶â¤ò»Ùʧ¤¤¤Þ¤·¤¿¡£

¥¹¥é¥Ã¥·¥å¤Î̵ͭ°ì¤Ä¤Ç½ÅÂç¤Ê´í¸±¤¬À¸¤¸¤ë¤³¤È¤¬¤¢¤ë¤¿¤á¡¢Nginx¤ÎÀßÄê¤Ë¤ÏÅ°ÄìŪ¤ÊÍý²ò¤È¿µ½Å¤Ê¼ÂÁõ¤¬É¬ÍפǤ¹¡£¤Ê¤ª¡¢º£²ó¤ÎÀȼåÀ­¤ò³°Éô¤«¤é¥Ö¥é¥Ã¥¯¥Ü¥Ã¥¯¥¹¥Æ¥¹¥È¤Ç¤­¤ë¥Ä¡¼¥ë¤ò¥Þ¥Ä¥â¥È¤µ¤ó¤¬¸ø³«¤·¤Æ¤¤¤ë¤Î¤Ç¡¢µ¤¤Ë¤Ê¤ë¿Í¤Ï³Îǧ¤·¤Æ¤ß¤Æ¤¯¤À¤µ¤¤¡£