Apache .htaccess and .htpasswd Disclosure

medium Nessus Plugin ID 106231

Synopsis

The remote web server discloses information via HTTP request.

Description

The Apache server does not properly restrict access to .htaccess and/or .htpasswd files. A remote unauthenticated attacker can download these files and potentially uncover important information.

Solution

Change the Apache configuration to block access to these files.

See Also

https://www.owasp.org/index.php/SCG_WS_Apache

Plugin Details

Severity: Medium

ID: 106231

File Name: apache_ht_disclosure.nasl

Version: 1.4

Type: remote

Family: Web Servers

Published: 1/22/2018

Updated: 5/16/2018

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:apache:http_server

Required KB Items: installed_sw/Apache

Exploited by Nessus: true