Nginx UI Improper Path Validation Vulnerability Leading to Recursive Deletion of Nginx Configuration Directory

A vulnerability in Nginx UI versions through 2.3.3 allows for improper handling of URL-encoded traversal sequences. This flaw enables an authenticated user to craft paths that the backend mistakenly resolves to the base Nginx configuration directory (/etc/nginx). The issue arises because the path normalization process fails to reject traversal attempts, instead directing them to the sensitive configuration directory. Exploiting this vulnerability allows for the deletion of the entire Nginx configuration directory, causing a partial denial-of-service by disrupting Nginx operations and removing all configurations managed by Nginx UI.

Impact

Exploitation of this vulnerability leads to the complete removal of the Nginx configuration directory, causing an immediate failure of the Nginx service and disrupting all web services that rely on the affected Nginx instance. The deletion operation is recursive, removing all configuration files and leaving the system unable to restart Nginx until the files are manually restored.

Reproduction

To reproduce this vulnerability, log into Nginx UI and navigate to the 'Manage Configs' section. Create a folder with a name that includes URL-encoded traversal sequences, such as '..%252F..%252F..%252F..%252Ftest'. After creating the folder, upload a file named 'testing' and rename it to include the traversal sequence payload. Once the file is renamed, use the Nginx UI interface to delete it. After deletion, check the '/etc/nginx' directory to confirm that it has been removed, indicating successful exploitation.

Remediation

Users are advised to update Nginx UI to version 2.3.4, where this vulnerability has been patched.