I am experimenting with various ways of annoying bots and automated vulnerability scanners that reach my service. In one instance I am serving a recursive decompression bomb for all requests for .php files. Since none of my services run PHP, and never have, all such traffic can be safely assumed malicious.
Recently (a couple of months since first deployment) I started seeing repeated requests to the server trying to fetch the recursive decompression bomb by its real file name, which should have never been exposed anywhere.
Is it possible for nginx to leak the real file name? Through misconfiguration or other means?
I am using nginx (version 1.14.2-2+deb10u1) as a reverse proxy and for SSL termination.
The custom application behind it is not aware of the existence of the decompression bomb and lives in its own completely separate directory tree. It never reads nor serves any files from the local server, all its data is in physically separate database and cache servers. While I cannot prove absence of vulnerabilities in this custom app, I have not found any evidence of it being used to (nor leaking) local directory contents.
The decompression bomb does not contain its file name in its contents.
The decompression bomb file <redacted-payload-filename> exists and is properly served in response to .php file requests.
Given the above, I believe something in my nginx setup leaked the real file name of the decompression bomb.
I've tried using all request methods (GET, HEAD, PUT, POST, DELETE, CONNECT, OPTIONS, TRACE, PATCH) on the server from curl like following:
and (as expected) none of the responses leaked the file name in any of the headers nor contents.
Below is a redacted and inlined version of my nginx configuration. There is only one server defined, the Debian default server config has been removed. The error code mapping is there to avoid triggering high error rate alerts when hit by hundreds of consecutive bot requests.
I would appreciate any help in figuring out what I am doing wrong and how could the <redacted-payload-filename> have been leaked?