Security issue - .htaccess is not protected

obiba / mica2

Mica is a web portal for epidemiological study consortia.

http://www.obiba.org/pages/products/mica/

GNU General Public License v3.0

10 stars 15 forks source link

Security issue - .htaccess is not protected #4310

Closed jonathanmassehsj closed 2 years ago

jonathanmassehsj commented 2 years ago

Describe the bug You can download the .htaccess https://your/ server/.htaccess/ (With the / at the end)

To Reproduce Steps to reproduce the behavior:

Go to '...' https://your/ server/.htaccess/ (With the / at the end) You will see the server .htaccess Expected behavior .htaccess should be keep protected.

Desktop (please complete the following information):

OS: Windows 11 Browser Chrome Version 102

ymarcon commented 2 years ago

I am not sure it is used. Can you verify that @kazoompa ?

kazoompa commented 2 years ago

I will take a look...

kazoompa commented 2 years ago

I was able to reproduce the download but I do not think there is any security issues since access to data is through Mica's authorization layer and permission system.

Unfortunately, this file cannot be removed as it affects the service loading. I will explore using filters to block this.

jonathanmassehsj commented 2 years ago

Thank you @kazoompa

Yes, a filter should be perfect to fix the issue, the issue was our security system (Tenable) that scan all services for vulnerability was doing an alert about the .htaccess.