Webserver Directory traversal

Updated on:

Webserver Directory traversal

Overview

File path traversal attack or directory traversal attack in web application is a common security issue.In this a hacker can get access to the files or directories of a webserver through the web url which will lead to major security issues.
If you are using Apache as front end web server then you can follow below steps to stop this path traversal attack easily.

Issue:

Any file on the application server can be accessed using the URI append like “https://xyz.com/file/” and if the apache is run by a root user, then even the /etc/passwd and other secured files can be accessed easily.

Solution

Here we will use the mod_rewrite provided by Apache to block this.
Please follow below steps to configure the same in Apache configuration file httpd.conf

– Add below entry to the loadmodule section in httpd.conf to enable the mod_rewrite module

 

LoadModule rewrite_module modules/mod_rewrite.so

Put the below configurations any where in the httpd.conf file

<IfModule rewrite_module>

RewriteEngine On

RewriteRule ^/(.*)$ - [F]

</IfModule>

– put below configurations to stop the directory traversal

Options -Indexes

Here “-Indexes” will stop the directory traversal.
– Restart the apache services and test.

More from Middleware Inventory

  • Apache Webserver Basic Authentication using htpasswd - How to

    Overview To Secure the Apache  Virtualhost (or) a particular document root /directory.  We can use this Basic Auth mechanism. When the user is trying to access the resource from the directory. User will be prompted  for Authentication.   Step1 Create a Password file with username and password entry using htpasswd  tool. Available…

  • Oracle Weblogic Basic Authentication

    Overview   Oracle WebLogic Server authentication is enabled by default. However, this configuration prevents Oracle WebLogic Server from using application managed authentication. You must disable Oracle WebLogic Server authentication by setting the enforce-valid-basic-auth-credentials parameter to false. Procedure  To disable Oracle WebLogic Server authentication: In a text editor, open the xmlfile from the domain folder. The config.xml file is in the Oracle/Middleware/user_projects/domains/domain_name/config directory. Locate the <security-configuration> Add the…

  • ansible search for string in file or check if string exists in file

    The Objective of this post is to show how to search for a string in a file with ansible. ansible provides various ways to accomplish the same.  We will cover,  three major ways to search for a string in a file. Lineinfile module Using the Shell module and grep command…

  • POODLE fix in Weblogic

    POODLE fix in Oracle weblogic server   Overview Newer versions of web browsers (e.g. Chrome) are now configured with policies which only allow websites or portal which enforce the strongest encryption technology to be viewed. SSL version 3 is no more secure due to POODLE attack. Most of the browser…

  • Remote Server - File System Lister [Linux]

    Have you ever  had the requirement of logging in to the Nnumber of remote servers (without keybased authentication ) and  get the mount point information and save it as CSV Report (or) Print it with a good console formatting. Then this is for you. Basically, It is a Shell script (…