Public Visibility of .txt and .json Files

redroot · January 19, 2024, 3:49am

Hello everyone!

I’m facing a security issue on my websites hosted using HestiaCP. The problem is that files with extensions like .txt or .json (perhaps other formats as well) are publicly accessible. I’ve tried various configurations in the “.htaccess” file without any success, and I’m unsure of the root cause.

At first, I suspected that the “.htaccess” rules were not functioning, but I tested by adding a simple redirection to google.com, and it worked perfectly.

Here’s an example of a file that shouldn’t be publicly visible, but unfortunately, it is:

https://dutyfree.lol/includes/config/webengine.json

(No need to worry about the data shown in the JSON; it’s fake and for testing purposes.)

Any assistance or guidance on resolving this issue would be greatly appreciated. Thanks in advance!

sahsanu · January 19, 2024, 5:13am

Hi @redroot,

Those file extensions are not being served by Apache but Nginx, so if you want that your htaccess rules work for those file extensions, you should remove those extensions from your web domain conf.

Edit Web Domain -> Advanced Options -> Remove the extensions from Proxy Extensions list -> Save

redroot · January 19, 2024, 6:08am

thanks for reply!!

.txt is there but .json is not

imagen

sahsanu · January 19, 2024, 6:16am

Two things,

1.- Before replying I tried to connect to the link you posted and I couldn’t, but I tried a few minutes ago and I could connect but you are not using Hestia, the Web Server serving your domain was LiteSpeed…

2.- What is the Hestia version you are using? What are the rules in your .htaccess file?