Arbitary File Download Vulnerability


Some websites may provide file viewing or download functionality because of business needs. If you do not limit user from viewing or downloading files, a malicious user may attempt to view or download any file from your server.

Attackers may construct malicious requests to download sensitive files from the server, and further embed website webshell files to control the website server host.


Please remove Indexes to stop Directory listing and this will also prevent Arbitrary file download  vulnerability, below are steps to configure the same in Apache configuration file httpd.conf.


Update the below configurations any where in the httpd.conf file


      <Directory "/var/www/html/ncn">

        Options Indexes FollowSymLinks MultiViews

        AllowOverride None

        Order allow,deny

        Allow from

        Deny from all




Additional you can configure which and what types of files can be secured from arbitrary download.


<Directory /var/www/example/subdomains/dev/public/webapp>

    RewriteEngine Off

    <Files *>

        order allow,deny

        deny from all


    <FilesMatch "\.(png|gif|jpe?g|png|css|js|swf|ps|flv)$">

        order allow,deny

        allow from all


– Restart the apache services and test the weburl.