CVE-2010-2263

Vulnerability

Nginx versions 0.7 before 0.7.66 and 0.8 before 0.8.40, when running on Windows with NTFS file system, fail to properly handle the default NTFS alternate data stream (ADS) name. By appending ::$DATA to a URI, the server returns the raw source code or unparsed content of files under the web document root instead of executing them. This affects all Windows builds of nginx in those version ranges [1][2][3].

Exploitation

An attacker with network access to the nginx server can send a crafted HTTP request to any file under the web root, appending ::$DATA to the path. No authentication or special privileges are required. For example, requesting http://target/index.html::$DATA returns the source code of index.html instead of the rendered page [3]. The vulnerability is specific to Windows/NTFS; Unix systems are not affected [2].

Impact

Successful exploitation allows an attacker to read the source code of any file within the web document root, including configuration files, scripts, and other sensitive data. This can lead to information disclosure of application logic, credentials, or proprietary code. The attacker does not gain code execution or write access, but the disclosed information may facilitate further attacks.

Mitigation

The vulnerability was fixed in nginx 0.7.66 and 0.8.40, released on June 7, 2010 [1][2]. Users should upgrade to these versions or later. No workaround is available for vulnerable versions; the only mitigation is to upgrade. The fix is documented in the nginx changelog as "now nginx/Windows ignores default file stream name" [1]. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.