1 Replies - 218 Views - Last Post: 22 April 2019 - 09:07 AM

#1 JamesAndersonJr   User is offline

  • New D.I.C Head

Reputation: -5
  • View blog
  • Posts: 26
  • Joined: 03-December 13

Are there any common htaccess mistakes that could reveal the svr root?

Posted 21 April 2019 - 09:37 AM

I have an .htaccess file in my public root directory (e.g. /home/[shared_hosting_account_name]/public_html/.htaccess) that was revealing the full path to the root of my server after the requested host name (e.g. https://www.example.com/home/[shared_hosting_account_name]/public_html/[requested subfolder]). Now I don't believe I need to explain to you how severe of a security risk this is on a GoDaddy shared hosting account because cpanel.[domain_name] will reveal a login page where the shared hosting account name is usually always the username, and there is no 2-step authentication, if someone happens the guess the password, or brute-force attack it.

So what I did was come up with a band-aid fix in my root .htaccess file, like so:

RewriteRule ^(.*home\/\w+\/public_html\/?)+(.*)?$ /called-path-to-root-so-fix-this-asap/$2 [R=301,L]


I still do not know what rule or directive could possibly be responsible for revealing the full path from the root of the server, but I have included a few redacted snippets from my root .htaccess file below for further public review.

Please, remember these important points during your review:

  • This .htaccess file is located in the root 'public_html' folder of my hosting account (not the server file system root)
  • This is not the complete file (some 'known working' snippets were removed for privacy and security purposes)
  • the conditional <if> statement encompassing much of the code uses my actual domain instead of 'example\.com' in the original source version, and has proved to be working correctly.


# ################################################################### #
# Turn on 'mod_rewrite':
# ################################################################### #

RewriteEngine On
RewriteBase /

# ################################################################### #
# Follow symbolic links:
# ################################################################### #

Options +FollowSymlinks

# ################################################################### #
# Disable directory browsing:
# ################################################################### #

IndexIgnore *

# ################################################################### #
# Specify Error Documents:
# ################################################################### #

# Error - [401] Unauthorized

ErrorDocument 401 /error_documents/error401.php

# Error - [403] Forbidden

ErrorDocument 403 /error_documents/error403.php

# Error - [404] Not Found

ErrorDocument 404 /error_documents/error404.php

# Error - [500] Internal Server Error

ErrorDocument 500 /error_documents/error500.php

# ################################################################### #
# Protect all [ .htaccess ], and [ error_log ] files, from public view:
# ################################################################### #

<Files .htaccess>
order allow,deny
deny from all
</Files>

<Files .htpasswd>
order allow,deny
deny from all
</Files>

<Files php.ini>
order allow,deny
deny from all
</Files>

<Files error_log>
order allow,deny
deny from all
</Files>

<Files error_log.log>
order allow,deny
deny from all
</Files>

<Files php_error_log.log>
order allow,deny
deny from all
</Files>

# ################################################################### #
# Protect root 'home' directory path from public view (for all sites):
# ################################################################### #

RewriteRule ^(.*home\/\w+\/public_html\/?)+(.*)?$ /called-path-to-root-so-fix-this-asap/$2 [R=302,L]

# ################################################################### #

# Header set X-XSS-Protection "1; mode=block" 

# ################################################################### #
# Allow 'some' files to be included from 'any' other origin on the Web:
# See: [ https://stackoverflow.com/questions/2892691/ ]
# ################################################################### #

<FilesMatch "(?i)\.(css|eot|gif|ico|jpe?g|js|otf|png|svg|tt.|woff.?)$">

Header set Access-Control-Allow-Origin "*"

</FilesMatch>

# ################################################################### #
# Set the default handler:
# ################################################################### #

DirectoryIndex index.php index.html index.htm park/index.php park/index.html park/index.htm /error_documents/error404.php

# ################################################################### #
# Declare 'Conditional' Directives. [BEGIN]
# ################################################################### #

<If "%{HTTP_HOST} =~ m'(?i)^((www\.)?example\.com)'">

# ################################################################### #
# Fix the URL path:
# ################################################################### #

# Remove root page path (e.g. 'index.php') for URL canonicalization. [BEGIN] #

RewriteCond %{THE_REQUEST} ^.*\/(default|home|index|welcome)\.(asp|cfml?|cgi|s?html?|php\d?|pl) [NC]
RewriteCond %{REQUEST_URI} !^.*\/(json|park|ttl|vcf|xml)\/.+$ [NC]
RewriteRule ^(.*)(default|home|index|welcome)\.(asp|cfml?|cgi|s?html?|php\d?|pl)$ /$1 [NC,NE,R=301,L]

# Remove root page path (e.g. 'index.php') for URL canonicalization. [END] #

# These rules [BELOW] remove all unnecessary URL forward slashes ("/"), dots ("."), and other hacky garbage from the URL. [BEGIN] #

# Rule (1): Remove multiple forward-slashes ("/") 'anywhere' in the requested URL. See: [ https://stackoverflow.com/questions/31933042 ] & [ https://stackoverflow.com/questions/17080652 ].

RewriteCond %{THE_REQUEST} //
RewriteRule ^.*$ $0 [NE,R=302,L]

# Rule (2): Remove trailing slash from the 'end' of the URL.

RewriteRule ^(.*)/+$ /$1 [NE,R=302,L]

# Rule (3): Remove erroneous periods 'anywhere' in the requested URL.



# These rules [ABOVE] remove all unnecessary URL forward slashes ("/"), dots ("."), and other hacky garbage from the URL. [END] #

# ################################################################### #
# Fix the URL:
# ################################################################### #

# Rule (1): Remove ALL trailing dot(s) at the end of the [ hostname ]. See: [ https://stackoverflow.com/questions/31972945/ ].

RewriteCond %{HTTP_HOST} ^(.+?)\.$
RewriteRule ^ https://%1%{REQUEST_URI} [NE,R=301,L]

# Rule (2): Redirect 'non-www' version of site to 'www' version of site.

RewriteCond %{HTTP_HOST} ^[^.]+\.[^.]+$ [NC]
RewriteCond %{HTTPS}s ^on(s)| [NC]
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [NE,R=301,L]

# ################################################################### #
# Automatically convert ALL 'http://' requests to 'https://' requests:
# ################################################################### #

RewriteCond %{HTTPS} !on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R=301,L]

# ################################################################### #
# Declare 'Charset', and 'Language' headers (by individual file extensions):
# ################################################################### #

AddDefaultCharset UTF-8

DefaultLanguage en-US

AddCharset UTF-8 .css .htm .html .js .json .json-ld .jsonld .php .ttl .txt .vcf .xml

# ################################################################### #
# Turn off 'gzip' compression for ALL video files and some audio files:
# ################################################################### #

<FilesMatch "(?i)\.(avi|mp3|mp4|ogg)$">

SetEnv no-gzip 1

</FilesMatch>

# ################################################################### #
# Compress 'css', html, 'Javascript', 'json', 'ttl', 'txt' and 'xml':
# ################################################################### #

<FilesMatch "(?i)\.(css|html?|js|(json((\-)?ld)?)|ttl|txt|xml)$">

SetOutputFilter DEFLATE

</FilesMatch>

# ################################################################### #
# Declare 'Conditional' Directives. [END]
# ################################################################### #

</If>

# ################################################################### #




Is This A Good Question/Topic? 0
  • +

Replies To: Are there any common htaccess mistakes that could reveal the svr root?

#2 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2943
  • View blog
  • Posts: 11,435
  • Joined: 03-December 12

Re: Are there any common htaccess mistakes that could reveal the svr root?

Posted 22 April 2019 - 09:07 AM

I'm guessing you didn't create the htaccess file, it was just there?

Strip everything out. You shouldn't need to have a rule that goes to the root of the server, just the root of your account anyway.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1