.user.ini accessible despite .htaccess rules

  • Resolved wpjasonr

    (@wpjasonr)


    3 years, 7 months ago

    Hello. I have a number of sites on AWS Lightsail that I recently upgraded to the latest 5-7-2.34 build (Bitnami). WAF scan now reports:

    Publicly accessible config, backup, or log file found: .user.ini

    The file /.user.ini on these sites are accessible via the browser, however the following exists in the .htaccess file:

    # Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

    The mod_authz_core module is active.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @wpjasonr, thanks for getting in touch with us.

    I’d like to access the .user.ini path(s) on your site myself if possible to see if this is a false report from the scan.

    Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    Note: For the fastest response time, please make sure and add any information or questions directly to this topic and not the email address above unless asked.

    Thanks,

    Peter.

    Thread Starter wpjasonr

    (@wpjasonr)

    Hi Peter,

    Diagnostics have now been sent for one of the sites as an example.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @wpjasonr,

    I was expecting to maybe see your auto_prepend_file being overwritten, or user_ini.filename not being visible but those seem to be working. I am also able to see your .user.ini file in my browser so it’s not a false-positive.

    The only thing I’m unable to check myself is whether you have multiple .htaccess files in your directory structure so the “# Wordfence WAF” code appears in one that is being overridden. If you find another, either in a root or child folder of your site(s), does moving or duplicating the code into this solve the issue?

    Thanks,

    Peter.

    Thread Starter wpjasonr

    (@wpjasonr)

    Hi Peter. There’s nothing in the main site folder. Some of the subfolders have .htaccess files, but they don’t look like they’re anything of interest and are specific to the folders that contain them.

    However, the 5.7.2-34 AWS Lightsail build contains two new virtual hosts at the following locations:

    /opt/bitnami/apache/conf/vhosts/wordpress-https-vhost.conf
/opt/bitnami/apache/conf/vhosts/wordpress-vhost.conf

    I’m not sure if this is the ideal thing to do, but if I add the following code to each of these files, access to the .user.ini file is now blocked:

    # Wordfence WAF
  <Files ".user.ini">
  <IfModule mod_authz_core.c>
	Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
  </IfModule>
  </Files>
 # END Wordfence WA
    • This reply was modified 3 years, 7 months ago by wpjasonr.
    Plugin Support wfpeter

    (@wfpeter)

    Hi @wpjasonr,

    That’s great that it’s now blocked. It could be possible to copy one of these .htaccess files to the main site folder as a catch-all, but there is no harm having the code present in individual folders. Similarly to .htaccess, it’s possible to have .user.ini files in individual folders, so this isn’t an uncommon practice.

    Thanks again,

    Peter.

    Thread Starter wpjasonr

    (@wpjasonr)

    Marking as resolved.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘.user.ini accessible despite .htaccess rules’ is closed to new replies.