Welcome, Guest! Log In | Create Account

Tracker: Bugs

5 some .htaccess files have incorrect apache directives - ID: 2798839
Last Update: Settings changed ( jangliss )

not version specific

.htaccess files in /doc and /contrib have incorrect apache permission
directives

The .htaccess files in /doc and /contrib have the following entries:
Order Deny,Allow
Deny from All
Allow from 127
Allow from 10
Allow from 192

The last entry: "Allow from 192" allows access from publicly routable
network blocks. To achieve the desired effect, that line should read:
"Allow from 192.168"

Additionally, I question the wisdom of including 10 and 192.168. Just
because a network block is not publicly routable does not mean that it
poses no threat. There are large networks that use private network address
spaces with potentially hostile hosts in them. If the 10 and 192.168
entries were to be removed, then I would prefer to see the .htaccess files
simply changed to "Deny from All", as the only entry left is the local
loopback address space, and anyone on the local machine can directly read
those directories anyway.

Jimmy Smythe ( jimmysmythe ) - 2009-05-30 14:39

5

Open

None

Jonathan Angliss

Options

None

Public


Comment ( 1 )

Date: 2009-06-02 02:13
Sender: janglissProject AdminAccepting Donations

I've taken care of the reference to 192 and changed to fit RFC1918. Also
added in the 172.16 block as well.

I'll discuss with the other devs, because this probably needs to be
expanding upon for removal, and/or tightening general control elsewhere.

Attached File

No Files Currently Attached

Change ( 1 )

Field Old Value Date By
assigned_to nobody 2009-06-02 02:13 jangliss


About SourceForge

Find Software

Develop Software

Community

Help

Copyright © 2010 Geeknet, Inc. All rights reserved. Terms of Use