Description

The resources from this directory are being proxied to an external cloud storage bucket (such as Google Cloud Storage and AWS S3) using an permissive regular expression. The nginx configuration might look something like this:

location ~ /docs/([^/]*/[^/]*)? {
    proxy_pass https://bucket.s3.amazonaws.com/docs-website/$1.html;
}
Because regular expressions allow newlines by default it's possible to prepare a request that will force the application to generate a request vulnerable to HTTP response splitting and request resources from an attacker controlled bucket.

For more information please consult the reference: Middleware, middleware everywhere - and lots of misconfigurations to fix

HTTP Response Splitting is a application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response

Remediation

The regular expression should be modified not to allow newlines.

References

Related Vulnerabilities