Bug 64852 - Leakage of .ht contents
Summary: Leakage of .ht contents
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_access_compat (show other bugs)
Version: 2.4.46
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-27 06:21 UTC by UDAGAWA Mitsuru
Modified: 2020-10-27 06:21 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description UDAGAWA Mitsuru 2020-10-27 06:21:11 UTC
Locate the ".htaccess" file in httpd's public directory.

---- start .htaccess ----
satisfy any

order deny,allow
deny from all
allow from 192.168.1.0/24

authtype basic
authuserfile /var/www/html/.htpasswd
authgroupfile /dev/null
authname "authorization required"
require valid-user
--- end .htaccess ----

Usually, any user can not access ".htaccess/.htpasswd" file because of configuration, but user can read ".ht" file contents from allowed network (192.168.1.x). If access from outside of allowed network or authorized user.