4

I am trying to access url: http://www.domain.com/data/images/.mthumbs/thumb-image.png

I know that this file definitely exists and correct permissions for reading: /data/images/.mthumbs/thumb-image.png

But when I view in url apache give forbidden error. Could it be because of the .mthumbs

John Magnolia
  • 1,613
  • 6
  • 27
  • 44

1 Answers1

5

Such files are hidden files in linux, by convention, and security-sensitive files (.htaccess and .htpasswd in particular) begin with .. Additionally, a popular though outmoded exploit once involved putting .. in paths, and the use of /./ in paths could in some cases be used to foil access rules. For these reasons, most apache configurations tend to deny access to these files and paths.

You should have a rule somewhere that does something along the lines of:

<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

Note that it might look very little like that; it's only an example. Make sure you've covered all the security bases I mentioned earlier, and then get rid of that rule, or scope it appropriately.

By far the easier, safer, and more standard thing to do would be to amend your directory structure and/or application to not require pathnames with elements that have a leading ..

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • This is a rare case that I need to access this folder so could I take a different approach by creating a .htaccess file inside .mthumbs which overwrites the default config? – John Magnolia Nov 06 '13 at 08:47
  • You could do that, if the appropriate `AllowOverride`s are set in the vhost configuration, yes. – Falcon Momot Nov 06 '13 at 09:02