NGINX path traversal issue
In the default nginx configuration, those kinds of locations are used with alias directives:
location /_protected/music
location /_protected/media
location /front
location /front/embed.html
Therefore, a request like this could permit to escape the directory:
/_protected/media../..
to /path/to/media/../../
To solve this issue, locations to directories should be suffixed with a /
and locations to files should be prefixed with =
as follows:
location /_protected/music/
location /_protected/media/
location /front/
location =/front/embed.html
Source: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md