How to remediate – Apache .htaccess and .htpasswd Disclosure

1. Introduction

The Apache .htaccess and .htpasswd Disclosure vulnerability allows attackers to access sensitive information via HTTP requests. This can expose website configuration details, user credentials, and other critical data. Web servers running Apache are typically affected. A successful exploit could lead to a loss of confidentiality, integrity, and availability.

2. Technical Explanation

The vulnerability occurs because the Apache server doesn’t properly restrict access to .htaccess and .htpasswd files. An unauthenticated attacker can request these files directly from the web server, potentially downloading them. This is a common misconfiguration rather than a flaw in the core Apache code itself.

• Root cause: Insufficient or missing restrictions on accessing .htaccess and .htpasswd files within the webserver’s document root.
• Exploit mechanism: An attacker sends an HTTP request to retrieve the .htaccess or .htpasswd file directly (e.g., http://example.com/.htaccess).
• Scope: Apache web servers, particularly those with default configurations or without explicit access controls for these files.

3. Detection and Assessment

You can confirm vulnerability by attempting to download the .htaccess file directly from a test URL. Thorough assessment involves scanning the entire web server directory structure.

• Quick checks: Use a web browser or curl to request http://example.com/.htaccess and http://example.com/.htpasswd. If either file downloads, the system is vulnerable.
• Scanning: Nessus plugin ID 32864 can detect this vulnerability. OpenVAS also has relevant checks. These are examples only.
• Logs and evidence: Check Apache access logs for requests to .htaccess or .htpasswd files. Look for HTTP status codes 200 (OK) indicating successful retrieval.

curl http://example.com/.htaccess

4. Solution / Remediation Steps

Change the Apache configuration to block access to these files. This is a standard security practice and should be implemented on all Apache web servers.

4.1 Preparation

• Take a backup of your Apache configuration file (e.g., httpd.conf or apache2.conf) before making changes. Stop the Apache service if necessary for maintenance windows.
• Ensure you have access to modify the Apache configuration files and restart the service. A roll back plan is to restore the original configuration file.
• A change window may be required, depending on your organization’s policies. Approval from a system administrator might be needed.

4.2 Implementation

1. Step 1: Edit your Apache configuration file (e.g., httpd.conf or apache2.conf).
2. Step 2: Add the following lines within the <Directory> block for your website’s document root:

   <Files .htpasswd>
           Require all denied
       </Files>
       <Files .htaccess>
           Require all denied
       </Files>

3. Step 3: Save the configuration file.
4. Step 4: Restart the Apache service to apply the changes (e.g., sudo systemctl restart apache2 or sudo service httpd restart).

4.3 Config or Code Example

Before

<Directory /var/www/html>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

After

<Directory /var/www/html>
    Options Indexes FollowSymLinks
    AllowOverride None  # Important: Disable .htaccess processing if not needed.
    Require all granted
    <Files .htpasswd>
        Require all denied
    </Files>
    <Files .htaccess>
        Require all denied
    </Files>
</Directory>

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege reduces the impact of a successful exploit, and secure defaults minimize misconfigurations.

• Practice 1: Implement least privilege principles for web server accounts. Limit access to only necessary files and directories.
• Practice 2: Use safe default configurations for Apache. Disable unnecessary features and restrict access to sensitive files by default.

4.5 Automation (Optional)

If using configuration management tools, automate the addition of these directives to your Apache configuration files.

# Example Ansible snippet:
- name: Block access to .htaccess and .htpasswd
  lineinfile:
    path: /etc/apache2/apache2.conf # Adjust path as needed
    insertafter: '^<Directory'
    line: '    <Files .htpasswd>'
  notify: Restart Apache
- name: Add Require all denied for .htpasswd
  lineinfile:
    path: /etc/apache2/apache2.conf # Adjust path as needed
    insertafter: '^    <Files .htpasswd>'
    line: '        Require all denied'
  notify: Restart Apache
- name: Add Require all denied for .htaccess
  lineinfile:
    path: /etc/apache2/apache2.conf # Adjust path as needed
    insertafter: '^    <Files .htpasswd>'
    line: '    <Files .htaccess>'
  notify: Restart Apache
- name: Add Require all denied for .htaccess
  lineinfile:
    path: /etc/apache2/apache2.conf # Adjust path as needed
    insertafter: '^    <Files .htaccess>'
    line: '        Require all denied'
  notify: Restart Apache
handlers:
  - name: Restart Apache
    service:
      name: apache2
      state: restarted

5. Verification / Validation

• Post-fix check: Use a web browser or curl to request http://example.com/.htaccess and http://example.com/.htpasswd. You should receive an HTTP 403 (Forbidden) error.
• Re-test: Repeat the quick checks from Section 3. The files should no longer be downloadable.
• Monitoring: Monitor Apache access logs for any failed attempts to access .htaccess or .htpasswd files. A sudden increase in these errors could indicate an attack attempt.

curl -I http://example.com/.htaccess

6. Preventive Measures and Monitoring

Regular security baselines and pipeline checks can prevent this issue. Patch cadence ensures timely updates to address known vulnerabilities.

• Baselines: Update your server security baseline to include restrictions on accessing .htaccess and .htpasswd files. Consider using a CIS benchmark or similar standard.
• Asset and patch process: Implement a regular patch review cycle