Infrastructure Exposure - Default Nginx Page on rt.aixblock.io #139
Description
🚨 CRITICAL: Infrastructure Exposure - Default Nginx Page on rt.aixblock.io
Describe the bug
The rt.aixblock.io subdomain exposes a default nginx welcome page, revealing critical infrastructure information that enables reconnaissance and potential targeted attacks against the AIxBlock platform. This information disclosure vulnerability provides attackers with valuable reconnaissance data including server technology stack, configuration status, and infrastructure fingerprinting information.
To Reproduce
Steps to reproduce the behavior:
- Open any web browser or use curl command
- Navigate to 'https://rt.aixblock.io/'
- Observe the default nginx welcome page
- See exposed infrastructure information
Proof of Concept:
# Step 1: Access the vulnerable endpoint
curl -s "https://rt.aixblock.io/"
# Step 2: Verify server headers
curl -I "https://rt.aixblock.io/"Current Response:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>Expected behavior
The application should not expose default nginx pages or server information. The endpoint should either:
- Return a 404 error for unconfigured paths
- Redirect to the main application
- Serve a custom error page without revealing infrastructure details
- Implement proper access controls
Impact Assessment
Critical Severity (CVSS 7.5 - High)
Business Impact:
- Infrastructure reconnaissance enabled
- Targeted attacks facilitated
- Security posture degradation
- Compliance risk exposure
Technical Impact:
- Server technology stack exposed
- Version information revealed
- Configuration status disclosed
- Attack vector creation
Attack Scenarios:
- Reconnaissance: Attackers identify nginx and plan version-specific attacks
- Targeted Exploitation: Use version info for CVE research and exploitation
- Infrastructure Mapping: Understand system architecture for sophisticated attacks
Screenshots
Desktop (please complete the following information):
- OS: macOS 14.5.0
- Browser: Chrome, Safari, Firefox
- Version: Latest versions
Smartphone (please complete the following information):
- Device: iPhone, Android devices
- OS: iOS 17+, Android 13+
- Browser: Safari, Chrome Mobile
- Version: Latest versions
Additional context
Server Information Exposed:
- Nginx web server presence confirmed
- Server configuration status (unconfigured/misconfigured)
- Infrastructure fingerprinting data
- Version information (nginx 1.24.0 based on headers)
Recommended Fix:
# Remove default nginx page
location / {
return 404; # Or redirect to proper application
}
# Add security headers
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Server ""; # Hide server informationCVSS Scoring:
- Base Score: 7.5 (High)
- Attack Vector: Network (N)
- Attack Complexity: Low (L)
- Privileges Required: None (N)
- User Interaction: None (N)
- Scope: Unchanged (U)
- Confidentiality Impact: High (H)
- Integrity Impact: None (N)
- Availability Impact: None (N)
References:
Note: This vulnerability has been verified and is reproducible. The default nginx page exposure provides critical reconnaissance information that could be leveraged for sophisticated attacks against the AIxBlock infrastructure.