View Issue Details

IDProjectCategoryView StatusLast Update
0000712XMB1Bugspublic2024-06-18 01:29
Reporterflushedpancake Assigned To 
PrioritylowSeverityminorReproducibilityN/A
Status newResolutionopen 
Product Version1.9.8 SP2 
Summary0000712: Replace 'directory-blocking' index.htm's with a .htaccess in the root
DescriptionSaid .htaccess just needs to have this content: 'Options -Indexes' - having a directory-blocking 'index.html' in every single directory is pointless duplication at best, and doesn't properly return the relevant HTTP code (403) that is wanted for system directories.

For the case of certain directories, i.e. where file uploads (e.g. uploaded attachments, custom avatars) go, an additional .htaccess file with this content: 'php_admin_flag_engine=Off' should be somewhere in there to prevent PHP parsing the contents of the directory when accessed. This may help to avoid certain exploits involving embedded PHP in otherwise innocuous-seeming user-submitted data from ever being parsed.

If the intent is to keep the fancy 'forbidden directory' message, adding an additional .htaccess in each system directory (but not subdirectory, so say, images/ but not images/davis) with the contents 'ErrorDocument 403 'The required libraries have not been defined.'' or whatever it is would suffice here.

Hopefully my wording isn't too awkward here.
TagsNo tags attached.
MySQL Version
PHP Version
Web ServerApache
Browser
Flags
Original Reporter
SVN Revision

Activities

miqrogroove

2024-06-01 07:05

administrator   ~0000515

Sounds like a hack for Apache users. I'm not saying the index.html files are totally necessary, but substituting an Apache-specific solution isn't my first choice.

miqrogroove

2024-06-03 07:37

administrator   ~0000516

There are currently 12 copies of index.html. None of them appear to be necessary. I would think they only really hide some version hints under /include and /db.

flushedpancake

2024-06-18 01:29

reporter   ~0000517

I'd just remove them and write some small documentation on how to configure the web server not to display the contents of board-related directories and to not execute PHP code in directories where it shouldn't do so like the ones for uploaded file storage. :P

Issue History

Date Modified Username Field Change
2024-05-02 16:46 flushedpancake New Issue
2024-06-01 07:05 miqrogroove Note Added: 0000515
2024-06-03 07:37 miqrogroove Note Added: 0000516
2024-06-18 01:29 flushedpancake Note Added: 0000517