Forwarded to devs Possible disclosure of information: .htaccess accessible through nginx

[Sergio Manzi]

TITLE:

Possible disclosure of information: .htaccess accessible through nginx​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Plesk 17.8.10 (upgraded from 17.5.3#40)
CentOS 7.4.1708, Kernel 3.10.0-693​

PROBLEM DESCRIPTION:

Possible disclosure of information:

• You have a site running under Apache having a .htaccess file in its root (or several of them in other directories)
• You re-configure that site to "Nginx-Only" hosting
• You forget to delete the .htaccess files
• The .htaccess files are accessible (like e.g.: https://www.example.com/.htaccess)

STEPS TO REPRODUCE:

• Have a site having a .htaccess file at its root and running under Apache
  
• Try to access that file from a browser
• You get an error 403 (Forbidden)
• Transition the site to Nginx-only hosting
• Try to access .htaccess again

ACTUAL RESULT:

You are "served" the .htaccess file and you can save it locally​

EXPECTED RESULT:

Refusal to serve the file as a precaution (possible disclosure of sensible information)​

ANY ADDITIONAL INFORMATION:

I appreciate that the responsibility of the site content is under the user, but I think in a similar scenario it would be wise to have nginx automatically configured to refuse access to .htaccess files​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[Sergio Manzi]

Consider refusal to serve any "dot" file, not just .htaccess

 

[IgorG]

Thank you for report.
Bugreport PPPM-8063 was created.