May
22

WordPress directory listing and File access vulnerability

What they are/How to use them

.htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof.

When (not) to use .htaccess files

In general, you should never use .htaccess files unless you don’t have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.


.htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration.


Further note that Apache must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply.

Thus, if a file is requested out of a directory /www/htdocs/example, Apache must look for the following files:

/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess

In order to stop access to configuration folder and files need to add following code to .htaccess file.

Options All -Indexes

.htaccess file must be kept in root folder if server root access is available. This file will secure un-authenticated access to residing folder and all sub folders.

The configuration directives found in a .htaccess file are applied to the directory in which the .htaccess file is found, and to all subdirectories thereof.

So putting .htaccess in root folder is good practice.

Directly Download htaccess

Tags: , , , , ,

Posted by Ashish Bobade Security, wordpress Subscribe to RSS feed

Other Interesting Articles:

  • New WordPress post not saved or published?
  • WordPress Security Tips
  • WordPress setup
  • A list of the top 10 most critical Web application security problems
  • Keylogger
  • Website Cookie Testing Part I
  • WebGoat deliberately insecure web application
  • Cross Site Scripting (XSS)
  • Break BitLocker encryption
  • What is Freenet
  • Basic Security Check For WebApplications
  • Types Of Computer Viruses
  • Use Your Face As Your Windows Password
  • Biggest hacker training site shut down
  • Smart Password Practices by Google
  • WordPress Important Plugins
  • Why You Need To Secure Your Web Applications
  • Encrypt-Stick acts as a personal key to your computer
  • Zeus banking virus is back warns security firm
  • Antivirus your PC-DOCTOR

    • Leave a Reply

    You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>