Deny URLs with a parent .. in the path in apache

Question

I was wondering if there was a simple way to make apache httpd deny (403) any URLs which contain a parent .. in the path.

So far I have tried (ignoring the flase positives for simplicity)

<LocationMatch "\.\.">
Order allow,deny
Deny from all
</LocationMatch>

But that didn't work. The directory has Allow from all in it. Am I on the right track or is there an easier way to do this (like there was in Fasttrack back in the 90s).

score 2 · Accepted Answer · answered Aug 16 '12 at 08:33

I would do it by using ModSecurity:

SecRule REQUEST_URI "../" "log,deny,msg:'Directory Traversal Attack Detected'"

Testing with some requests:

http://domain.com/../../../../etc/passwd

and examine the audit log, you'll see something like this:

[modsecurity] [client x.x.x.x] [domain domain.com] [302] [/20120816/20120816-1529/20120816-152911-1np2Nn8AAAEAA Aq6EU0AAAAG] [file "/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf"] [line "305"] [msg "Directory Traversal Attack Detected"] Access denied with code 403 (phase 2). Pattern match "../" at REQUEST_URI.

I agree with the answer but would suggest that the pattern should be `"\.\./"`. — 7 Reeds, Mar 05 '19 at 19:51

Deny URLs with a parent .. in the path in apache

1 Answers1