Hidden files on Apache/Linux

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Hidden files on Apache/Linux

Post by alex.barylski »

I always thought by virtue of naming a file like: .htaccess the file is in-accessable to anyone via HTTP...

However I just named a file: .settings right inside my document root

and using something like: http://www.mydomain.com/.settings

And Viola!!! My browser returned the contents of this file...

Nothing of importance...but still...what gives...if I had an htaccess file along side .settings...would it's contents be visible also???

I thought under linux and file prefixed with a '.' was invisble...???

Is this a problem with my shared host or is this just the way things work???

Should I contact my hosting company???

Cheers :)
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Not sure, but I thought they blocked .ht* files?

Anyway, you can always restrict access using the htaccess file itself, so it's not that big.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

There is no problem whatsoever.

'ls' will list directory contents (hiding thingies that start with .)
'ls -a' will list all contents (also thingies that start with .)

Now, apache doesn't use 'ls' so in a regular configuration it will make everything available that is in your "pubwww" directory.

If apache is allowed to do so it will look for a .htaccess file to override configuration settings. By default files starting with .ht are not displayed. That also explains why you probably can't see a .htaccess file

If you want to enforce to deny access on all files starting with . you could add the following:

Code: Select all

<Files ~ "^\.">
    Order allow, deny
    Deny from all
</Files>
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

I can't even imagine how many sites have an open .htaccess. You can view it by http://url/.htaccess

To avoid this you can place this insde the .htaccess

Code: Select all

<Files ~ "\.htaccess$">
order deny,allow
deny from all
</Files>
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

AGISB wrote:I can't even imagine how many sites have an open .htaccess. You can view it by http://url/.htaccess
Not many. The default httpd.conf includes the following:

Code: Select all

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

shiflett wrote:
AGISB wrote:I can't even imagine how many sites have an open .htaccess. You can view it by http://url/.htaccess
Not many. The default httpd.conf includes the following:

Code: Select all

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>
I am not sure which apache version put this as default. I am sure that many early apaches that still run did not. I did have the problem at some time at my server.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

So...

only files starting with .ht apache recognizes as DO NOT SEND BACK TO USER type files???

So I could rename the file .htsettings and everything should be cool?

Thanks :)
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

It all depends on your apache settings... So check them to be asolutely sure..
Post Reply