File path traversal attack or directory traversal attack in web application is a common security issue.
In this a hacker can get access to the files or directories of a server through the web url which will lead to major security issues.
If you are using Apache as front end web server then you can follow below steps to stop this path traversal attack easily.
Any file on the application server can be accessed using the URI append like “WEBURL=file://” and if the apache is run by a root user, then even the /etc/passwd and other secured files can be accessed easily.
Here we will use the mod_rewrite provided by Apache to block this.
Please follow below steps to configure the same in Apache configuration file httpd.conf
– Add below entry to the loadmodule section in httpd.conf to enable the mod_rewrite module
LoadModule rewrite_module modules/mod_rewrite.so
Put the below configurations any where in the httpd.conf file
<IfModule rewrite_module> RewriteEngine On RewriteRule ^/(.*)$ - [F] </IfModule>
– put below configurations to stop the directory traversal
Here “-Indexes” will stop the directory traversal.
– Restart the apache services and test.
If you want to harden apache more then you can check this article on the same.
For more info on mod_rewrite you can check this link from Apache org.