Login/Register
.htaccess - Make a directory invisible
Asked Answered
Solved apache.htaccessmod-rewritehttp-status-code-404http-status-code-403
L

3

1

I have a .htaccess file that currently looks like:

<Files .htaccess>
    order allow,deny
    deny from all
</Files>

Options All -Indexes
IndexIgnore *

# Respond to /include/ with 404 instead of 403
RewriteEngine On
RedirectMatch 404 ^/include(/?|/.*)$

I'm trying to prevent everyone from knowing that /include/ exists, however I've come across an issue.

Although visiting http://www.example.com/include gives a 404, the browser adds an end slash (thus giving http://www.example.com/include/) which shows that the directory is in fact there, but is being disguised. When an actual 404 is visited, an end slash is not appended.

Is there a way to prevent this behavior?

Luhe answered 10/10, 2011 at 18:39 Comment(3)
What's the difference is someone figures out its there or not if the directory is protected? And why bother using a 404 over a 403? This is what a 403 is made for.Helmuth
I'm thinking about future security. It's overkill, but it's better to be safe than sorry.Luhe
@Michael Irigoyen sorry, but even "security by obscurity" is still better than nothing. Attacker should know as little as possible about the system. If he knows that there are some hidden directories he might chain these micro-leaks with other vulnerabilities like LFI / code leaks / etc. One could still bruteforce such hidden directories with LFI, but an attacker will need to know directory name + file name. Without such leaks attacker would need more time to exploit the system. Btw, no idea why 403 is even there, but IMHO it's absolutely USELESS. Hide & protect everything you can.Staunch
B
3

1. You can use DirectorySlash Off to tell Apache to not to add trailing slash at the end of directories.

2. Why use RewriteEngine On if you do not actually use rewrite engine (based on the code you have provided)? RedirectMatch has nothing to do with mod_rewrite.

3. If you want to use mod_rewrite here, then try this rule -- it will return 404 code for /include folder (with and without trailing slash) as well as ANY resource inside that file (e.g. /include/main.php etc).

RewriteEngine On

RewriteRule ^include(/|/.+)?$ - [R=404,L]
Bartonbartosch answered 10/10, 2011 at 19:5 Comment(3)
I have mod_rewrite enabled because I was about to add some URL rewriting :) Ideally (not in the scope of this question), I would have liked to forward all 403 directories to 404s, but your suggestions have solved my current problem. Thanks! :)Luhe
@Luhe If you want forward all 403 into 404 -- try ErrorDocument 403 /403.php and in that 403.php (or whatever server side scripting language you have there) just send proper 404 header (it will override 403 code).Bartonbartosch
@Bartonbartosch downvoted, because it only protects against basic folder search. It is possible to bypass your rule and still detect that folder with requests like "include/.php" and "include/.htaccess" (you'll get 403 error instead of expected 404). Requests to nonexistant folders "includeXXX/.php" and "includeXXX/.htaccess" will result in 404. So you can try to detect such hidden folders with requests like ${dirname}/.php or ${dirname}/.htaccessStaunch
S
1

Leaking directory existence through dot-files

There are some cases where following lines of code are not enough to hide your directory:

RewriteEngine On
RewriteRule ^include(/|/.+)?$ - [R=404,L]

Those lines won't block requests like include/.php, include/.ht, include/.htaccess (instead you will receive a 403 Forbidden error which will indicate that the directory include exists). Instead one would like to forbid access to all dot-files to prevent leaking folder existence (.git, .php (just ".php" - without a file name), .htaccess, ...). (Side note: I guess there might be some issues between the .htaccess file and main Apache config file where you can forbid access to ".ht" files and allow to execute ".php" files - that's why such requests are doing their own thing without beeing simply rewritten to 404 error. Instead they are returning 403 error).

So you can bypass the above rules by sending following requests (you'll receive 403 Forbidden error):

You can verify that you'll get 404 Not Found error if directory doesn't exist:

Possible Fix

You need to match all the dot-files. So first you disallow access to them (403 error) and then you just rewrite 403 error to 404 error.

Options -Indexes
RewriteEngine On
RewriteRule ^secret.*$ - [R=404,L]

RewriteRule ^404_error$ - [R=404,L]

<FilesMatch "^\\.">
    order allow,deny

    # 403 error
    deny from all

    # Rewrite 403 error to 404 error
    # Error document must be:
    # - "a string with error text" OR
    # - an absolute path which starts with "/" OR
    # - URL (you'll get a redirect)
    ErrorDocument 403 /404_error
</FilesMatch>

These requests are now blocked and you'll get an 404 Not Found error:

  • /secret/treasure.php (all files and directories in that folder)
  • /secret
  • /secret/
  • /secret?42
  • /secret/?23
  • /secret/.php
  • /secret/.htaccess

This is an answer from my similar question: Rewrite requests to directory with htaccess to 404 error

Staunch answered 14/4, 2020 at 1:44 Comment(1)
problem with this approach that it requires ErrorDocument where you have to hardcode path to your document root error - in that case: /404_error. If you have your project in extra directory like /myproject/, than you have to change error document path in your .htaccess fileStaunch
A
0

Use a rewrite rule in addition to the RedirectMatch.

Arborization answered 10/10, 2011 at 18:42 Comment(3)
Why in addition? Just Instead.Bartonbartosch
You are correct. Rewrite would prevent any redirect action even if it was there.Arborization
@WatermarkStudios I tested with RedirectMatch, nothing happened. Solution with RedirectMatch didn't work.Staunch

© 2022 - 2024 — McMap. All rights reserved.