Page 1 of 1
Hidden files on Apache/Linux
Posted: Fri Nov 18, 2005 3:54 pm
by alex.barylski
I always thought by virtue of naming a file like:
.htaccess the file is in-accessable to anyone via HTTP...
However I just named a file:
.settings right inside my document root
and using something like:
http://www.mydomain.com/.settings
And Viola!!! My browser returned the contents of this file...
Nothing of importance...but still...what gives...if I had an htaccess file along side .settings...would it's contents be visible also???
I thought under linux and file prefixed with a '.' was invisble...???
Is this a problem with my shared host or is this just the way things work???
Should I contact my hosting company???
Cheers

Posted: Fri Nov 18, 2005 4:02 pm
by Ambush Commander
Not sure, but I thought they blocked .ht* files?
Anyway, you can always restrict access using the htaccess file itself, so it's not that big.
Posted: Fri Nov 18, 2005 5:26 pm
by timvw
There is no problem whatsoever.
'ls' will list directory contents (hiding thingies that start with .)
'ls -a' will list all contents (also thingies that start with .)
Now, apache doesn't use 'ls' so in a regular configuration it will make everything available that is in your "pubwww" directory.
If apache is allowed to do so it will look for a .htaccess file to override configuration settings. By default files starting with .ht are not displayed. That also explains why you probably can't see a .htaccess file
If you want to enforce to deny access on all files starting with . you could add the following:
Code: Select all
<Files ~ "^\.">
Order allow, deny
Deny from all
</Files>
Posted: Sat Nov 19, 2005 10:21 am
by AGISB
I can't even imagine how many sites have an open .htaccess. You can view it by
http://url/.htaccess
To avoid this you can place this insde the .htaccess
Code: Select all
<Files ~ "\.htaccess$">
order deny,allow
deny from all
</Files>
Posted: Sat Nov 19, 2005 12:21 pm
by shiflett
AGISB wrote:I can't even imagine how many sites have an open .htaccess. You can view it by
http://url/.htaccess
Not many. The default httpd.conf includes the following:
Code: Select all
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
Posted: Sun Nov 20, 2005 1:30 am
by AGISB
shiflett wrote:AGISB wrote:I can't even imagine how many sites have an open .htaccess. You can view it by
http://url/.htaccess
Not many. The default httpd.conf includes the following:
Code: Select all
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
I am not sure which apache version put this as default. I am sure that many early apaches that still run did not. I did have the problem at some time at my server.
Posted: Sun Nov 20, 2005 11:33 am
by alex.barylski
So...
only files starting with
.ht apache recognizes as DO NOT SEND BACK TO USER type files???
So I could rename the file
.htsettings and everything should be cool?
Thanks

Posted: Sun Nov 20, 2005 4:09 pm
by timvw
It all depends on your apache settings... So check them to be asolutely sure..