The sites/default/files directory contains a .htaccess file that contains security measures. However, this file can be overridden in subdirectories, introducing security vulnerabilities without notification by Drupal of the potential issue. Core already scans for .htaccess files at one layer but not at the next layer(s) down. Why have the status page throw a flag when the htaccess files at the various file roots are wrong but ignore if they are reversed the next layer down?

Make the system stronger at preventing attacks by adding a warning about .htaccess files in subdirectories or having non-standard content in the public://.htaccess.

First step is to determine whether an improved scan and alert is something that should be included in core or in the Security Review module.

Applies to D8 and D7.

Reported by acrosman.


micnap created an issue. See original summary.

greggles’s picture

Issue tags: +Security improvements
acrosman’s picture

I'd like to see this added to core for two main reasons:

  1. The event that lead me to discover this was being exploited on a site I maintain also lead me to find lots Drupal 7 sites that had attack scripts running within public file system. It is a common enough attack vector to be a threat to Drupal's reputation if nothing else.
  2. Having a scan on the status page that implies your file system is secure (by complaining about known conditions), when it may not be, creates a false sense of security.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.