Sergio Manzi
Regular Pleskian
TITLE:
ACTUAL RESULT:
Possible disclosure of information: .htaccess accessible through nginx
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:Plesk 17.8.10 (upgraded from 17.5.3#40)
CentOS 7.4.1708, Kernel 3.10.0-693
PROBLEM DESCRIPTION:CentOS 7.4.1708, Kernel 3.10.0-693
Possible disclosure of information:
STEPS TO REPRODUCE:- You have a site running under Apache having a .htaccess file in its root (or several of them in other directories)
- You re-configure that site to "Nginx-Only" hosting
- You forget to delete the .htaccess files
- The .htaccess files are accessible (like e.g.: https://www.example.com/.htaccess)
- Have a site having a .htaccess file at its root and running under Apache
- Try to access that file from a browser
- You get an error 403 (Forbidden)
- Transition the site to Nginx-only hosting
- Try to access .htaccess again
You are "served" the .htaccess file and you can save it locally
EXPECTED RESULT:Refusal to serve the file as a precaution (possible disclosure of sensible information)
ANY ADDITIONAL INFORMATION:I appreciate that the responsibility of the site content is under the user, but I think in a similar scenario it would be wise to have nginx automatically configured to refuse access to .htaccess files
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:Confirm bug