Something to check for in your nginx configs, especially if you’re running your own BitWarden instance. You could be exposing your encrypted vault.
I run the vaultwarden container and that “seems” to be ok. Not sure how to check it though .
Running an update just in case
while Nginx is a robust and incredibly versatile tool that fuels a significant portion of the internet, it’s easily susceptible to certain inconsistencies. These potential pitfalls are often a result of misconfigurations, which can inadvertently transform this reliable powerhouse into a possible weak link. Nginx’s approach to security leaves a significant onus on developers to avoid hazardous configurations, underscoring the importance of thorough understanding and cautious implementation.
It seems that “onus on developers to avoid hazardous configurations” is doing a lot of heavy lifting here.
While this is probably true for being able to access directories that share the same prefix (ie.
/img_private/) can be blamed on misconfiguration, the other examples using
/../ to do path traversal seem more like a security vulnerability in nginx itself and I’m surprised that this is waved away as being a user configuration issue.
Now i’m wondering what the practical way to check for that configuration is.
Something like that articles regex might do the job but at first attempt
rgrep -E wasn’t having it.