5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf approved extention FileMatch directive exists'

Information

Restrict access to inappropriate file extensions that are not expected to be a legitimate part of web sites using the FilesMatch directive.

Rationale:

There are many files that are often left within the web server document root that could provide an attacker with sensitive information. Most often these files are mistakenly left behind after installation, trouble-shooting, or backing up files before editing. Regardless of the reason for their creation, these files can still be served by Apache even when there is no hyperlink pointing to them. The web administrators should use the FilesMatch directive to restrict access to only those file extensions that are appropriate for the web server. Rather than create a list of potentially inappropriate file extensions such as .bak, .config, .old, etc, it is recommended instead that a white list of the appropriate and expected file extensions for the web server be created, reviewed and restricted with a FilesMatch directive.

Solution

Perform the following to implement the recommended state:

Compile a list of existing file extension on the web server. The following find/awk command may be useful, but is likely to need some customization according to the appropriate webroot directories for your web server. Please note that the find command skips over any files without a dot (.) in the file name, as these are not expected to be appropriate web content.

find */htdocs -type f -name '*.*' | /usr/bin/awk -F. '{print $NF }' | sort -u

Review the list of existing file extensions, for appropriate content for the web server, remove those that are inappropriate and add any additional file extensions expected to be added to the web server in the near future.

Add the FilesMatch directive below which denies access to all files by default.

# Block all files by default, unless specifically allowed.
<FilesMatch '^.*$'>
Require all denied
</FilesMatch>

Add another a FilesMatch directive that allows access to those file extensions specifically allowed from the review process in step 2. An example FilesMatch directive is below. The file extensions in the regular expression should match your approved list, and not necessarily the expression below.

# Allow files with specifically approved file extensions
# Such as (css, htm; html; js; pdf; txt; xml; xsl; ...),
# images (gif; ico; jpeg; jpg; png; ...), multimedia
<FilesMatch '^.*.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$'>
Require all granted
</FilesMatch>

Default Value:

There are no restrictions on file extensions in the default configuration.

See Also

https://workbench.cisecurity.org/files/3021