apache2 security issue with .htaccess, .htpasswd and .DS_Store files; update to 2.2.13_2 and fix your httpd.conf

Ryan Schmidt ryandesign at macports.org
Sun Aug 30 04:35:59 PDT 2009 

If you use apache2 @2.2.13_0 or earlier, there is a security issue you  
need to be aware of and take action immediately to fix.

The default httpd.conf file provided with apache2 @2.2.8_1 through  
@2.2.13_0 has a security issue whereby any .htaccess and .htpasswd  
files you use, and any .DS_Store files the OS may have created for  
you, ARE NOT protected from web access like they should be and anyone  
could read them by requesting the right URL from your web server which  
could expose information about your server that should not be  
public. .htaccess files contain web server configuration  
information, .htpasswd files contain usernames and encrypted  
passwords, and .DS_Store files contain filenames and other information  
about the files in the directory.

Upgrading to apache2 @2.2.13_2 will fix the problem in the sample  
config file at /opt/local/apache2/conf/original/httpd.conf but you  
must manually make the changes to your own config file at /opt/local/ 
apache2/conf/httpd.conf. An incorrect httpd.conf will have this line:


<Files ~ "^<.([Hh][Tt]|[Dd][Ss]_[Ss])">


The corrected line is:


<Files ~ "^\.([Hh][Tt]|[Dd][Ss]_[Ss])">


(There is just one character difference: "<" should be "\")


There is a second issue relating to preventing access to named forks  
which affects apache2 @2.2.8_1 through @2.2.13_1. An incorrect  
httpd.conf will have these lines:


<Directory  ~ ".\.\.namedfork">
     Order allow,deny
     Deny from all
     Satisfy All
</Directory>


The corrected lines are:


<DirectoryMatch ".*\.\.namedfork">
     Order allow,deny
     Deny from all
     Satisfy All
</DirectoryMatch>


("Directory" changes to "DirectoryMatch"; "~" is removed; "*" is added  
to the string)

I do not believe the incorrect namedfork definition will cause any  
information to be disclosed by your server, but the changes should be  
made so that you are using the directives recommended by Apple:

http://support.apple.com/kb/TA22750


The default config files in apache2 @2.2.8_0 and earlier, and in all  
versions of the apache20 and apache ports so far, DO NOT make any  
attempt to block access to your .htaccess, .htpasswd and .DS_Store  
files or named forks. If your httpd.conf originates from one of these  
ports, install the necessary protection in your httpd.conf by  
replacing all of these lines:


<FilesMatch "^\.ht">
     Order allow,deny
     Deny from all
     Satisfy All
</FilesMatch>


With all of these lines:


<Files ~ "^\.([Hh][Tt]|[Dd][Ss]_[Ss])">
     Order allow,deny
     Deny from all
     Satisfy All
</Files>
<Files "rsrc">
     Order allow,deny
     Deny from all
     Satisfy All
</Files>
<DirectoryMatch ".*\.\.namedfork">
     Order allow,deny
     Deny from all
     Satisfy All
</DirectoryMatch>

More information about the macports-users mailing list