Removing the dot or period from htaccess files - A dangerous move?

Removing the dot or period from htaccess files - A dangerous move? - .htaccess files are extremely useful in many cases for users who either do not have root permissions or for users who simply aren't comfortable in making changes in their web server's configuration file. Trying to debug .htaccess not working isn't always the easiest thing to do, however, hopefully by checking the discuss below mentioned about htaccess, , , , .htaccess common problems as well as the troubleshooting tips, you'll have a better grasp on what you may have to modify to get your .htaccess file running smoothly.Problem :


Removing the dot or period from htaccess files (and thus making it unhidden) - A dangerous move?



I tried to search in Google with the string: Can I remove the dot htaccess But I didn't find anything directly related to this question.



The reason for removing it is one and simple --- To edit it faster directly from the FTP client instead of navigating to the Cpanel file manager...


Solution :

It's dangerous in the sense that it won't work if you do. Apache will look for .htaccess and apply those rules as it serves content. Without finding that file, Apache will proceed assuming no additional directives are necessary.



.htaccess includes a leading . because it's a "hidden file" in Linux systems (which run most web servers).



Your FTP client has a setting to show hidden files. Turn it on. Or use a client that allows . hidden files to be seen.



And use SFTP as FTP sends clear-text credentials (clear-text => unencrypted as in you can retrieve them by running tcpdump or similar traffic analysis and capturing the packets).




Removing the dot or period from htaccess files and thus making it unhidden - A dangerous move?




You definitely have to be careful how you do it, as you might otherwise compromise the security of your server.



There are basically two dangers that you could encounter:



Reading your htaccess File



htaccess files are nothing special, and if you just rename .htaccess to htaccess, anyone can now read it, as it will be served as a normal file by Apache. It doesn't matter here if you changed AccessFileName or not. Access to .htaccess is denied by these lines in your Apache config, which will not catch htaccess:



<FilesMatch "^.ht">
    Require all denied
</FilesMatch>


This may have negative consequences, such as leaking of information. Your htaccess file may for example contain absolute paths, and possibly other sensitive information such as database passwords defined via SetEnv.



htaccess File not working



Of course, if you rename your .htaccess file, it will not be parsed anymore. This means that you have to change AccessFileName.



But if you just change AccessFileName .htaccess to AccessFileName htaccess, this might be dangerous, as some other applications on the same server may rely on .htaccess files being parsed. There are quite a few applications whose security heavily relies on .htaccess files being parsed properly, for example because it denies access to files containing passwords, uploaded PHP files, etc (relying on .htaccess files being parsed isn't ideal, but it does happen frequently).



Doing it right: Adding additional .htaccess file names



If you want to rename your .htaccess file, you have to do two things:



Add the new name to AccessFileName (do not remove the default .htaccess name):



AccessFileName .htaccess htaccess


And add a deny rule for it:



<FilesMatch "^htaccess">
    Require all denied
</FilesMatch>



[it isn't quite clear to me if you want to rename your htaccess file permanently or just temporarily while editing it, but the dangers I described above apply in either case, as does the solution proposed]


Removing the dot is renaming the file.
Once you do that, the web server won't be able to find the file, so its contents will no-longer effect web server behavior.

Additionally, if you would like to do some further testing, give the htaccess tester tool a try. It allows you to specify a certain URL as well as the rules you would like to include and then shows which rules were tested, which ones met the criteria, and which ones were executed.

Comments

Post a Comment

Popular posts from this blog

Rewrite in Mediawiki, remove index.php, .htaccess

Rewrite in Mediawiki, remove index.php, .htaccess - .htaccess  files are  extremely useful  in many cases for users who either do not have root permissions or for users who simply aren't comfortable in making changes in their web server's configuration file. Trying to debug  .htaccess not working isn't always the easiest thing to do, however, hopefully by checking the discuss below mentioned about apache, htaccess, redirects, 301-redirect, .htaccess  common problems as well as the troubleshooting tips, you'll have a better grasp on what you may have to modify to get your  .htaccess file running smoothly. Problem : I've just installed Mediawiki on Apache and I want the URL should be: localhost/Main_Page/ localhost/Special:Recent_Changes ... instead of: localhost/index.php/Main_Page/ localhost/index.php/Special:Recent_Changes I've tried many times and in many ways but it still doesn't work. Any suggest for a "exactly" what to do, st...
Read more

.htaccess rewrite wildcard folder paths from host

.htaccess rewrite wildcard folder paths from host - .htaccess  files are  extremely useful  in many cases for users who either do not have root permissions or for users who simply aren't comfortable in making changes in their web server's configuration file. Trying to debug  .htaccess not working isn't always the easiest thing to do, however, hopefully by checking the discuss below mentioned about htaccess, mod-rewrite, , , .htaccess  common problems as well as the troubleshooting tips, you'll have a better grasp on what you may have to modify to get your  .htaccess file running smoothly. Problem : My desired result is change a file to root / from a N number of paths. For example: www.host.com/a/b/c/e/f/g/images/1.jpg , where A~G is not always given. Result: www.host.com/images/1.jpg . This is what I have so far: www.host.com/a/images --> www.host.com/images using: RewriteRule ^a/images/$ images/$1 [L] . What I need is a wildcard in front of /i...
Read more

Using .htaccess to set a cookie and 301 redirect

Using .htaccess to set a cookie and 301 redirect - .htaccess  files are  extremely useful  in many cases for users who either do not have root permissions or for users who simply aren't comfortable in making changes in their web server's configuration file. Trying to debug  .htaccess not working isn't always the easiest thing to do, however, hopefully by checking the discuss below mentioned about htaccess, redirects, 301-redirect, mod-rewrite, .htaccess  common problems as well as the troubleshooting tips, you'll have a better grasp on what you may have to modify to get your  .htaccess file running smoothly. Problem : I currently have in my .htaccess : RewriteRule ^$ http://chfmaine.com/ [CO=moved:yes:chfmaine.com:1/,R=301,NE,NC,L] I was basing this off of this post . That's a lot more than I need but the setting of the cookie should be the same. Maybe I am misunderstanding the domain part of the cookie. If I set it to CHFmaine.com shouldn’t that ...
Read more