Live: 300+ Best Black Friday Deals Live: Black Friday TV Deals BF Deals Under $25 BF Deals Under $50 5 BF Splurges 8 BF Must-Haves 15 Weird Amazon BF Deals BF Cheat Sheet
Want CNET to notify you of price drops and the latest stories?
No, thank you
Accept

Apache security "leak" noted with .DS_Store files

Apache security "leak" noted with .DS_Store files

Christopher Graham sent us the following note, posted to the Apache Webserver Weekly mailings:

    "Mac OS X users should be aware of a potential problem as the Finder creates files .DS_Store in viewed directories. Unless Apache is configured to deny access to these files a remote user can request them and be given a list of files in the directory."

Note: The .DS_Store file stores the names and icon locations of files in each folder.

Update: Christopher adds: "Use the following lines in the Apache Configuration file (httpd.conf) to disallow reading of the files." Test the capability before and after to ensure the leak is fixed.

    <Files ~ "^\.DS_Store">
    Order allow,deny
    Deny from all
    </Files>

Update: Another reader reports: "The fix does not entirely remedy the problem if you are running Apache on an HFS Plus volume. In that case, you can still access the .DS_Store file just by entering the name in a different case, e.g. .ds_store. This has to do with the case-sensitive issue reported previously (see securityfocus and MacFixIt coverage). To overcome both security problems, you should add both upper and lower case letters in the Files rule:

<Files ~ "^\.[Dd][Ss]_[Ss]">
Order allow,deny
Deny from all
</Files>

This will block any files beginning with ".DS_S" (no matter if you use upper or lower case letters) from being viewed.