So, I recently scanned my server for PCI compliance, and it failed. One of the reasons that it failed was due to a bunch of htaccess files that contain authentication information.
Here is what the scan results state:
THREAT:
.htaccess contains authentication information.
IMPACT:
Unauthorized users can gather authentication information from this file.
SOLUTION:
Change the Apache configuration so the .htaccess file cannot be accessed via the Internet.
When I visit one of the urls they claim is giving access to .htaccess ( hn.myserver.com:2095/.htaccess ), I can access the file.
I have tried everything that I can think of to prevent this.
In httpd.conf I have this code (which was already there):
<Files ".ht*">
Require all denied
</Files>
That was in there by default, but it doesn't block access. So, I tried adding this code, as per a suggection I found, to httpd.conf:
<Files .htaccess>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>
</Files>
That also didn't block access. I read something where someone said put the above code into the .htaccess file. So, I did a search for all .htaccess file via ssh, and found the one I was pretty sure is the one hn.myserver.com:2095/.htaccess downloads at ./usr/local/cwpsrv/var/services/roundcube/. I added the code, and it still downloads. I check the file, and it did have the new code in it, so I know I found the correct one.
I also read that I can just disable .htaccess by having AllowOverride None in my httpd.conf, but it was already in my httpd.conf file, and it doesn't do anything.
So, how do I block access to these? Nothing makes sense to me!
I should also note, that I am using just straight apache 2.4.39. No Varnish or NGINX
Topic: Blocking .htaccess for PCI Compliance (Read 3174 times)
