Webserver Directory traversal
Overview
File path traversal attack or directory traversal attack in web application is a common security issue.In this a hacker can get access to the files or directories of a webserver through the web url which will lead to major security issues.
If you are using Apache as front end web server then you can follow below steps to stop this path traversal attack easily.
Issue:
Any file on the application server can be accessed using the URI append like “https://xyz.com/file/” and if the apache is run by a root user, then even the /etc/passwd and other secured files can be accessed easily.
Solution
Here we will use the mod_rewrite provided by Apache to block this.
Please follow below steps to configure the same in Apache configuration file httpd.conf
– Add below entry to the loadmodule section in httpd.conf to enable the mod_rewrite module
LoadModule rewrite_module modules/mod_rewrite.so
Put the below configurations any where in the httpd.conf file
<IfModule rewrite_module>
RewriteEngine On
RewriteRule ^/(.*)$ - [F]
</IfModule>
– put below configurations to stop the directory traversal
Options -Indexes
Here “-Indexes” will stop the directory traversal.
– Restart the apache services and test.
More from Middleware Inventory
Apache Webserver Basic Authentication using htpasswd - How toOverview To Secure the Apache Virtualhost (or) a particular document root /directory. We can use this Basic Auth mechanism. When the user is trying to access the resource from the directory. User will be prompted for Authentication. Step1 Create a Password file with username and password entry using htpasswd tool. Available…
Oracle Weblogic Basic AuthenticationOverview Oracle WebLogic Server authentication is enabled by default. However, this configuration prevents Oracle WebLogic Server from using application managed authentication. You must disable Oracle WebLogic Server authentication by setting the enforce-valid-basic-auth-credentials parameter to false. Procedure To disable Oracle WebLogic Server authentication: In a text editor, open the xmlfile from the domain folder. The config.xml file is in the Oracle/Middleware/user_projects/domains/domain_name/config directory. Locate the <security-configuration> Add the…
-
POODLE fix in WeblogicPOODLE fix in Oracle weblogic server Overview Newer versions of web browsers (e.g. Chrome) are now configured with policies which only allow websites or portal which enforce the strongest encryption technology to be viewed. SSL version 3 is no more secure due to POODLE attack. Most of the browser…
-
Remote Server - File System Lister [Linux]Have you ever had the requirement of logging in to the Nnumber of remote servers (without keybased authentication ) and get the mount point information and save it as CSV Report (or) Print it with a good console formatting. Then this is for you. Basically, It is a Shell script (…