Htaccess Bypass

By
Nash N Sulthan
Published on
30 Apr 2021
3 min read
Vulnerability
Htaccess

.htaccess stands for hypertext access and it is a configuration file used on Apache web servers. .htaccess files (or “distributed configuration files”) allows you to perform configuration adjustments on a per-directory basis.

A file comprising one or more configuration directives is stored in a particular document directory, and the directives apply to that directory and all subdirectories thereof.

The importance of .htaccess files are that it:

  • Protects folders using passwords

  • Allows or bans users utilizing IP addresses

  • Creates aliases for extensions

  • Can be used for listing directory files

  • Can be utilized for redirecting URLs

  • May be used to generate customized error messages

  • Can control caching

A sample .htaccess file may look like:

        AuthType Basic 
        AuthName "My Example Folder" 
        AuthUserFile /www/sites/www.example.com/.htpasswd 
        Require valid-user 


    

The above code specifies password authentication and:

  • AuthType: Specifies the authentication to be used

  • AuthName: Specifies the text to be displayed on the password prompt

  • AuthUserFile: Indicates the server path to .htpasswd file

  • Require valid-user: This line specifies the possibility of several users to log in to the password protected area. If you want to give access only to a specific user ‘require user username’ can be used.

Generally, .htaccess files can be accessed even when no direct access is provided to the main server configuration file. Sometimes the user may need to change the configuration settings and might not have the necessary privileges.

At times when the server administrator is not willing to make the changes frequently by themselves, they may give advanced privileges to the users. This allows users to make the necessary changes.

In this scenario, it is necessary that the user’s intention is genuine as any change made in the .htaccess file will be the same as a change made in the <directory> of the server configuration file. This is an added advantage for an attacker.

If a web application is vulnerable to file inclusion, we can easily access the .htaccess files.

Impact of .htaccess bypass

  • Can redirect users from search engines or error messages to malware.

  • Attackers use .htaccess files to hide malware or backdoors.

  • Executing malware from a hidden location by modifying the PHP value ‘auto_append_file’.

How to prevent .htaccess bypass

  • We can avoid this scenario by adding the code given below into the Apache configuration file which is in /etc/apache2.
        <FilesMatch “^/.ht”>
            Require all denied
        </FilesMatch>


    

This code will generate a 403 ‘Forbidden’ response to the request.

  • Limit access to the .htaccess file by modifying the web server configuration.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days