Home / server / Questions / 551015
Accepted
John Magnolia
Asked: 2013-11-07 00:17:13 +0800 CST

Apache forbidden with dot in url

  • 772

I am trying to access url: http://www.domain.com/data/images/.mthumbs/thumb-image.png

I know that this file definitely exists and correct permissions for reading: /data/images/.mthumbs/thumb-image.png

But when I view in url apache give forbidden error. Could it be because of the .mthumbs

apache-2.2

1 Answers

  1. Best Answer

    Such files are hidden files in linux, by convention, and security-sensitive files (.htaccess and .htpasswd in particular) begin with .. Additionally, a popular though outmoded exploit once involved putting .. in paths, and the use of /./ in paths could in some cases be used to foil access rules. For these reasons, most apache configurations tend to deny access to these files and paths.

    You should have a rule somewhere that does something along the lines of:

    <FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

    Note that it might look very little like that; it's only an example. Make sure you've covered all the security bases I mentioned earlier, and then get rid of that rule, or scope it appropriately.

    By far the easier, safer, and more standard thing to do would be to amend your directory structure and/or application to not require pathnames with elements that have a leading ..

    • 5