CNET también está disponible en español.

Ir a español

Don't show this again

Computers

Apache security "leak" noted with .DS_Store files

Apache security "leak" noted with .DS_Store files

Christopher Graham sent us the following note, posted to the Apache Webserver Weekly mailings:

    "Mac OS X users should be aware of a potential problem as the Finder creates files .DS_Store in viewed directories. Unless Apache is configured to deny access to these files a remote user can request them and be given a list of files in the directory."

Note: The .DS_Store file stores the names and icon locations of files in each folder.

Update: Christopher adds: "Use the following lines in the Apache Configuration file (httpd.conf) to disallow reading of the files." Test the capability before and after to ensure the leak is fixed.

    <Files ~ "^\.DS_Store">
    Order allow,deny
    Deny from all
    </Files>

Update: Another reader reports: "The fix does not entirely remedy the problem if you are running Apache on an HFS Plus volume. In that case, you can still access the .DS_Store file just by entering the name in a different case, e.g. .ds_store. This has to do with the case-sensitive issue reported previously (see securityfocus and MacFixIt coverage). To overcome both security problems, you should add both upper and lower case letters in the Files rule:

<Files ~ "^\.[Dd][Ss]_[Ss]">
Order allow,deny
Deny from all
</Files>

This will block any files beginning with ".DS_S" (no matter if you use upper or lower case letters) from being viewed.