info@xxxxxxxxxxxxxx wrote: > Vul in stable versions now isn't work. > Original Advisory: > http://blog.pouya.info/userfiles/vul/NginX.rar http://www.coresecurity.com/content/filename-pseudonyms-vulnerabilities Multiple Vulnerabilities with 8.3 filename pseudonyms in Web servers "Nginx Web Server [1]. The way Nginx handles files may differ when they are requested using their 8.3 alias, and short file or path names are not correctly handled when applying file handling rules or access restrictions. By abusing of these flaws an attacker can bypass security options implemented in the web server. For instance, file.shtml will become FILE~1.SHT. This will cause the file to be handled as a .sht file, not a .shtml file. The result of this is that instead of processing SSI directives as would normally be the case with a .shtml file, the file would be served unprocessed. Additionally, Nginx does not correctly handle extraneous spaces after file extensions when applying preprocessing rules or access restrictions."
