dockerfiles icon indicating copy to clipboard operation
dockerfiles copied to clipboard
verified publisher icon izuolan

Pagekit Docker Image Exposes .htaccess File

Open mbiesiad opened this issue 1 month ago • 0 comments

Hi, first of all - great work with the repo.

Pagekit Docker Image Exposes .htaccess File

Description

The community Pagekit Docker image (pagekit/pagekit on Docker Hub) allows public access to the .htaccess file located in the web root. This file contains configuration rules for Apache and should not be exposed, as it can reveal sensitive application details and URL rewrites. The exposure is due to a missing Apache configuration directive to deny access to hidden files (e.g., <Files ".ht*"> Require all denied </Files>).

Proof of Concept

Screenshot

Image

Details

  • Affected Docker image: pagekit/pagekit

  • Affected Docker image - link: https://hub.docker.com/r/pagekit/pagekit

CWE:

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-284: Improper Access Control
  • CWE-285: Improper Authorization

References

  • https://github.com/izuolan/dockerfiles/tree/master/pagekit
  • https://www.acunetix.com/vulnerabilities/web/htaccess-file-detected/
  • https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/htaccess-file-detected

Best regards,

mbiesiad avatar Nov 30 '25 15:11 mbiesiad