5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf approved extention FileMatch directive exists'

Information

Restrict access to inappropriate file extensions that are not expected to be a legitimate part of web sites using the 'FilesMatch' directive.

Rationale:

There are many files that are often left within the web server document root that could provide an attacker with sensitive information. Most often these files are mistakenly left behind after installation, troubleshooting, or backing up files before editing. Regardless of the reason for their creation, these files can still be served by Apache even when there is no hyperlink pointing to them. The web administrators should use the 'FilesMatch' directive to restrict access to only those file extensions that are appropriate for the web server. Rather than create a blacklist of potentially inappropriate file extensions such as '.bak', '.config', '.old', etc., it is recommended instead that a whitelist of the appropriate and expected file extensions for the web server be created, reviewed, and enforced with a 'FilesMatch' directive.

Solution

Perform the following to implement the recommended state:

1. Compile a list of existing file extensions on the web server. The following 'find/awk' command may be useful but is likely to need some customization according to the appropriate webroot directories for your web server. Please note that the find command skips over any files without a dot (.) in the filename, as these are not expected to be appropriate web content.

find */htdocs -type f -name '*.*' | awk -F. '{print $NF }' | sort -u

2. Review the list of existing file extensions. Remove those that are inappropriate and add any appropriate file extensions expected to be added to the web server in the near future.
3. Add the 'FilesMatch' directive below, which denies access to all files by default.

# Block all files by default, unless specifically allowed.

Order Deny,Allow
Deny from all

4. Add another 'FilesMatch' directive that allows access to those file extensions specifically allowed from the review process in step 2. An example 'FilesMatch' directive is below. The file extensions in the regular expression should match your approved list, and not necessarily the expression below.

# Allow files with specifically approved file extensions
# Such as (css, htm; html; js; pdf; txt; xml; xsl; ...),
# images (gif; ico; jpeg; jpg; png; ...), multimedia

Order Deny,Allow
Allow from all

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-9, CSCv6|18.3, CSCv7|18.2

Plugin: Unix

Control ID: b37900a306484f53f0e7a057a998a0bfe604ecb2a2c3db71b9aa91569f1c6ca6