Have you looked at your .htacess file recently? Your Apache server may not be secure
If your organization’s website runs on Apache, and many do, you might wonder if the webserver’s .htaccess controls are securely configured. If you believe the demo we saw on July 27 at Black Hat by Matias Katz and Maximiliano Soler, the answer is a resounding ‘NO!’ What Katz and Soler describe in their session is not some rare “corner case” hack that could only possibly occur in a lab with billions of automated attempts, this is easily testable in the real world, and the tools to exploit it are freely available.
It turns out that Apache, the most commonly-used web server in the world, has an arrangement where it hands off PHP-based requests within .htaccess to PHP itself, which has worked fine on millions and millions of websites for years. But with .htaccess, you can specify what requests get sent to PHP to try to interpret. The usual methods are GET and POST, but if you feed the .htaccess process some non-standard input, PHP automatically (unless otherwise instructed) treats it as a GET request, and allows the utility to start saving the PHP files on a webserver to your local filesystem.
Then it gets worse. Once the process has identified links buried in the files it just saved, it goes hunting down those links, requesting to save them all. It also checks to see if it already saved the file that the link points to, and in this way, won’t download duplicates, keeping the fileset fresh.
But wait, there’s more. After it saves all those linked files, it scours them as well, searching for files located wherever they link to, and so the process goes. With so many pages linking to other resources, it’s easy to see how a bad actor can pull down all the PHP files that run the site. These may well contain references to login credentials for databases, passwords, personally identifiable information and a host of other goodies that can be sold on the black market or used to enable further exploits.
Want to protect yourself? Turns out you can get very specific in your .htaccess file about what types of requests get handed to PHP by using the “LimitExcept” directive instead of the more commonly used “Limit”. You can also fix the issue within your PHP code as well.
So, now might be a good time to check your website configuration to make sure you’re protected, before the bad guys go scouring around trying to use this type of exploit. And if you’re not the person in charge of your website, you might want to point out this problem to the person who is, they may thank you, a lot.
Reprinted with permission
Cameron Camp is a researcher for global security provider ESET and has played a critical role in building the ESET North America Research Lab. Cameron has been building critical technology infrastructures for more than 20 years, beginning as an assembly language programmer in 1987 and eventually becoming an evangelist for Linux and open-source technologies with an emphasis on the security sector. Prior to joining ESET, he founded Logical Web Host in 1998, a data-driven web services company.