configuration and/or authorization information issue? #1485

New Issue

OVERLORD · 2026-02-05T01:01:51+03:00

OVERLORD commented

2026-02-05 01:01:51 +03:00

Originally created by @stinkcheese on GitHub (Jan 9, 2020).

Hello All,
Not sure if this has been brought up before, but i was poking at my bookstack instance with a web app analysis tool called nikto, and it was telling me of a directory that could contain config or authorization information. Going to the directory below prompted for a download of what appears to be a config file. Im not sure how important the file is in terms of security, but i figured i would pose the question here.

OSVDB-3093: /.htaccess: Contains configuration and/or authorization information

navigating to /.htaccess downloads a file that has the following information in it;

Options -MultiViews -Indexes

RewriteEngine On

# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]

# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]

Im pretty much a noob in the security field, but i just wanted your opinion.

Thanks!

Originally created by @stinkcheese on GitHub (Jan 9, 2020). Hello All, Not sure if this has been brought up before, but i was poking at my bookstack instance with a web app analysis tool called nikto, and it was telling me of a directory that could contain config or authorization information. Going to the directory below prompted for a download of what appears to be a config file. Im not sure how important the file is in terms of security, but i figured i would pose the question here. OSVDB-3093: /.htaccess: Contains configuration and/or authorization information navigating to /.htaccess downloads a file that has the following information in it; <IfModule mod_rewrite.c> <IfModule mod_negotiation.c> Options -MultiViews -Indexes </IfModule> RewriteEngine On # Redirect Trailing Slashes If Not A Folder... RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)/$ /$1 [L,R=301] # Handle Front Controller... RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^ index.php [L] </IfModule> Im pretty much a noob in the security field, but i just wanted your opinion. Thanks!

OVERLORD added the ❓ Question label 2026-02-05 01:01:51 +03:00

OVERLORD closed this issue

2026-02-05 01:01:53 +03:00

OVERLORD commented

2026-02-05 01:01:56 +03:00

@ssddanbrown commented on GitHub (Sep 29, 2020):

Hi @stinkcheese,
Sorry for the really late reply; Yeah, it's totally possible for this to be downloaded since it's in the public/ folder and therefore exposed by the webserver.

This file is fine to view or be downloaded, it's just an Apache config file that might be used by users serving BookStack via apache. The file is publicly available here and should never contain anything private within.

@ssddanbrown commented on GitHub (Sep 29, 2020): Hi @stinkcheese, Sorry for the really late reply; Yeah, it's totally possible for this to be downloaded since it's in the `public/` folder and therefore exposed by the webserver. This file is fine to view or be downloaded, it's just an Apache config file that might be used by users serving BookStack via apache. The file is publicly available here and should never contain anything private within.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1485