not version specific
.htaccess files in /doc and /contrib have incorrect apache permission directives
The .htaccess files in /doc and /contrib have the following entries:
Deny from All
Allow from 127
Allow from 10
Allow from 192
The last entry: "Allow from 192" allows access from publicly routable network blocks. To achieve the desired effect, that line should read: "Allow from 192.168"
Additionally, I question the wisdom of including 10 and 192.168. Just because a network block is not publicly routable does not mean that it poses no threat. There are large networks that use private network address spaces with potentially hostile hosts in them. If the 10 and 192.168 entries were to be removed, then I would prefer to see the .htaccess files simply changed to "Deny from All", as the only entry left is the local loopback address space, and anyone on the local machine can directly read those directories anyway.
Log in to post a comment.