-1

PCI scanning reports the below issue for my Joomla site:

"It is possible to retrieve file backups from the remote web server"

I've checked it manually by accessing http://example.com/component/user/~

Basically it does not throw 404 error while accessing http://example.com/component/user/~

I want to throw 404 error or redirect to home page while accessing any directory using ~

So what I have tried is to add below line in my .htaccess

RewriteCond %{REQUEST_URI} ![~]$ [NC]

However, this does not work.

Is there any other way to fix this or is above command correct and where exactly should it be placed?

I've tried putting this under root directory and under /joomla/components/mod_user directory.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
Kesav
  • 1
  • You can also tell your ASV that this is a false positive. They will verify and remove it as a fail item from the report. – Ladadadada Aug 10 '12 at 09:54
  • This is not false positive since accessing http://site.com/component/user/~ is displaying http://site.com/component/user/ and not throwing 404 error code. I've also checked this myself. – Kesav Aug 10 '12 at 10:00
  • I'd appreciate if someone can please help me. – Kesav Aug 10 '12 at 10:01
  • 1
    It is a false positive if you can't retrieve *a backup version of your file* at that URL. Emacs creates a file in the same directory where you are editing with the same name but with a tilde on the end. It uses this as a backup so you can revert to a previous version. If you don't use Emacs and the actual file doesn't exist, it's a false positive. – Ladadadada Aug 10 '12 at 10:03
  • 1
    This is a terrible question title. – womble Aug 10 '12 at 10:54
  • 1
    Am I the only one to be concerned that Kesav is processing credit card payments but doesn't know what's happenning here nor how to diagnose / resolve it? – symcbean Aug 10 '12 at 11:42

1 Answers1

2

Why does everyone run straight to mod_rewrite? It's like trying to use an anti-ship mine to open a tight jar lid. Just use a LocationMatch to match whatever file paths you want, and then put a deny from all in there.

womble
  • 95,029
  • 29
  • 173
  • 228
  • 1
    + 1 for the use of anti-ship mines. – Zapto Aug 10 '12 at 11:59
  • Thanks for the responses. However i cannot make use of LocationMatch since it will not work using .htaccess. I'm on shared hosting, so i can only play around with .htaccess and not apache configs. Any other solution or workaround? – Kesav Aug 10 '12 at 18:42
  • Is it possible to obtain any level of PCI compliance on shared hosting? I would be surprised if it was. – Ladadadada Aug 10 '12 at 22:02
  • It's not impossible, but it requires a bit of cooperation from your shared hosting provider -- the sort of cooperation that would cause them to add a LocationMatch rule for you. – womble Aug 11 '12 at 11:06
  • And between `Location` and `mod_rewrite` rules you have another option that is often enough: `mod_alias` with its `Redirect` rules. But here if the issue is blocking access to some files, the proper response is the `Require` directive of Apache, not messing with redirections. – Patrick Mevzek Aug 09 '19 at 22:29