h5bp/server-configs-apache

Deal better with the abuse of hidden the “well-known” directory on HTTPS sites

summercms opened this issue · 4 comments

summercms commented

Currently h5bp allows open access to the /.well-known/ folder which is being abused all over the internet by hackers using the folder to store and distributing Shade ransomware and phishing pages.

H5bp code location is here:

server-configs-apache/src/security/file_access.conf

Lines 15 to 38 in ca75cd9

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Block access to all hidden files and directories with the exception of the
# visible content from within the `/.well-known/` hidden directory.
#
# These types of files usually contain user preferences or the preserved state
# of a utility, and can include rather private places like, for example, the
# `.git` or `.svn` directories.
#
# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
# `/.well-known/keybase.txt`), and therefore, access to its visible content
# should not be blocked.
#
# https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
</IfModule>

You can find a more in-depth article about this issue found here: https://www.zscaler.com/blogs/research/abuse-hidden-well-known-directory-https-sites

I would like to see h5bp deal better with this important issue and update their code to allow webmasters the option of blocking access to this folder or not. Webmasters and developers should have the option to choose.

LeoColomb commented

Hello @ayumi-cloud, thanks for opening this issue.

Currently h5bp allows open access to the /.well-known/ folder

Not really, the current config only allow accessing public file /.well-known/ following RFC 5785.

You can find a more in-depth article about this issue

I'm concerned about the relevance of this article. It only mention CMS software weakness (specially WordPress and Joomla), which are tools that can copy/move/add content on server.

Apache httpd itself can't put any file in the /.well-known/.

I would like to see h5bp deal better

You're always welcome to submit a PR! 🙏
I'm personally very curious on what can be done to improve this case. 🙂

  • 👍1
summercms commented

Hi @LeoColomb thanks for the interest, we are still researching and talking to several people, to develop a solution to this issue, but we would be happy to create and submit a pr for it later on if you are willing to add a enhancement label. Not sure what your invalid label means, sounds like we done a syntax error or something.

LeoColomb commented

Thanks @ayumi-cloud.

Not sure what your invalid label means

Up to now, there is no proof that H5BP have weakness and/or can fix httpd weakness. invalid avoid confusion about severity of this ticket.

  • 😄1
LeoColomb commented

Closing as stale and without any valid proof, but please continue the discussion as soon as more information is available.