Apache .htaccess LIMIT misconfiguration

.htaccess is a configuration file that is used on internet servers running the Apache internet Server software package. Many HTTP methods are available on a web server like “GET”, “POST”, “OPTIONS” and many more. All these methods have a purpose and pose a risk in using any of these headers. The tag helps the administrator to block any of these methods. This tag is found inside the .htaccess file. The tag blacklists the methods that can pose a threat to the application. As this tag follows a blacklist approach, the administrator might forget few of the methods. This negligence can have a significant impact on the application and might make the application vulnerable to attacks. There is another tag which prefers a whitelisting approach. The tag is .

Example

The code shows the example of and .

        <Limit OPTIONS GET> </Limit>//This tag limits the usage of OPTIONS and GET.
        <LimitExcept GET POST> </LimitExcept> //This tag only allows GET and POST.

    

Impact

If function is improperly used, the attacker might use methods to attack the server. Using the DELETE method, the attacker can DELETE resources from the server. The attacker can use other methods to temper with the server.

Mitigation / Precaution

Beagle recommends the following impacts:-

• Use a whitelist approach to permit HTTP methods. The tag is the best choice for implementing whitelisting approach.

        <LimitExcept GET POST>
        </LimitExcept>

    

The above tag will block every other tag other than “GET” and “POST”.

Written by

Manindar Mohan

Cyber Security Lead Engineer