apache logo

Most apache (and probably all web server administrators in general) know that they should not allow access to .htaccess or .htpasswd files. Access to these is typically denied by default with:

<Files ~ "\.ht">
    Order allow,deny
    Deny from all

But this ignores a wide variety of potential security risks posed by hidden files in general. In any *nix (unix, BSD, linux, OS X), any file that begins with a period is a “hidden” file. As the quotes indicate, “hidden” does not mean hidden in the strict sense. Hidden files are always shown, but you must explicitly ask to see hidden files. Otherwise they are not shown. Configuration files are often hidden files because they don’t need to be seen on a daily basis.

The problem comes in when we start using various unix tools on web servers. Version control systems like subversion and git contain all their configuration data and previous files in “hidden” subdirectories, ie .svn and .git. Just by randomly guessing, an attacker might be able to randomly guess at which version control system you use and download source code which might contain passwords or secret keys.

Apache should block access to hidden files by default, but unfortunately it does not (at least not in Debian/Ubuntu). I have never used a web application that serves hidden files, so I have a fairly high degree of confidence that disabling web access to hidden files will not break anything. Even if a web app absolutely must serve a hidden file, you could enable that while keeping hidden files inaccessible by default.

Here is the obvious apache configuration to disable access to hidden files and folders:

<FilesMatch "^\.">
    Order allow,deny
    Deny from all
    Satisfy All

<DirectoryMatch "^(.*/)*\..*">
    Order allow,deny
    Deny from all
    Satisfy All

Unfortunately, that does not always do a complete job. Many web applications or template systems will load files if they exist. Although you may not have a web app like this on your system, I would still disable all requests for hidden files as well:

<LocationMatch ^(.*/)\..*>
  Order Allow,Deny
  Deny from All
  Satisfy All

Disabling hidden files both on the request side and the file serving side should protect you from leaking hidden files, barring other application security holes.


comments powered by Disqus