Bug 64852

Summary: Leakage of .ht contents
Product: Apache httpd-2 Reporter: UDAGAWA Mitsuru <contact>
Component: mod_access_compatAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.46   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description UDAGAWA Mitsuru 2020-10-27 06:21:11 UTC
Locate the ".htaccess" file in httpd's public directory.

---- start .htaccess ----
satisfy any

order deny,allow
deny from all
allow from 192.168.1.0/24

authtype basic
authuserfile /var/www/html/.htpasswd
authgroupfile /dev/null
authname "authorization required"
require valid-user
--- end .htaccess ----

Usually, any user can not access ".htaccess/.htpasswd" file because of configuration, but user can read ".ht" file contents from allowed network (192.168.1.x). If access from outside of allowed network or authorized user.