Deal better with the abuse of hidden the “well-known” directory on HTTPS sites
summercms opened this issue · 4 comments
Currently h5bp allows open access to the /.well-known/
folder which is being abused all over the internet by hackers using the folder to store and distributing Shade ransomware and phishing pages.
H5bp code location is here:
server-configs-apache/src/security/file_access.conf
Lines 15 to 38 in ca75cd9
You can find a more in-depth article about this issue found here: https://www.zscaler.com/blogs/research/abuse-hidden-well-known-directory-https-sites
I would like to see h5bp deal better with this important issue and update their code to allow webmasters the option of blocking access to this folder or not. Webmasters and developers should have the option to choose.
Hello @ayumi-cloud, thanks for opening this issue.
Currently h5bp allows open access to the
/.well-known/
folder
Not really, the current config only allow accessing public file /.well-known/
following RFC 5785.
You can find a more in-depth article about this issue
I'm concerned about the relevance of this article. It only mention CMS software weakness (specially WordPress and Joomla), which are tools that can copy/move/add content on server.
Apache httpd itself can't put any file in the /.well-known/
.
I would like to see h5bp deal better
You're always welcome to submit a PR! 🙏
I'm personally very curious on what can be done to improve this case. 🙂
Hi @LeoColomb thanks for the interest, we are still researching and talking to several people, to develop a solution to this issue, but we would be happy to create and submit a pr for it later on if you are willing to add a enhancement
label. Not sure what your invalid
label means, sounds like we done a syntax error or something.
Thanks @ayumi-cloud.
Not sure what your
invalid
label means
Up to now, there is no proof that H5BP have weakness and/or can fix httpd weakness. invalid
avoid confusion about severity of this ticket.
Closing as stale and without any valid proof, but please continue the discussion as soon as more information is available.