View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000712 | XMB1 | Bugs | public | 2024-05-02 16:46 | 2024-06-18 01:29 |
| Reporter | flushedpancake | Assigned To | |||
| Priority | low | Severity | minor | Reproducibility | N/A |
| Status | new | Resolution | open | ||
| Product Version | 1.9.8 SP2 | ||||
| Summary | 0000712: Replace 'directory-blocking' index.htm's with a .htaccess in the root | ||||
| Description | Said .htaccess just needs to have this content: 'Options -Indexes' - having a directory-blocking 'index.html' in every single directory is pointless duplication at best, and doesn't properly return the relevant HTTP code (403) that is wanted for system directories. For the case of certain directories, i.e. where file uploads (e.g. uploaded attachments, custom avatars) go, an additional .htaccess file with this content: 'php_admin_flag_engine=Off' should be somewhere in there to prevent PHP parsing the contents of the directory when accessed. This may help to avoid certain exploits involving embedded PHP in otherwise innocuous-seeming user-submitted data from ever being parsed. If the intent is to keep the fancy 'forbidden directory' message, adding an additional .htaccess in each system directory (but not subdirectory, so say, images/ but not images/davis) with the contents 'ErrorDocument 403 'The required libraries have not been defined.'' or whatever it is would suffice here. Hopefully my wording isn't too awkward here. | ||||
| Tags | No tags attached. | ||||
| MySQL Version | |||||
| PHP Version | |||||
| Web Server | Apache | ||||
| Browser | |||||
| Flags | |||||
| Original Reporter | |||||
| SVN Revision | |||||
|
|
Sounds like a hack for Apache users. I'm not saying the index.html files are totally necessary, but substituting an Apache-specific solution isn't my first choice. |
|
|
There are currently 12 copies of index.html. None of them appear to be necessary. I would think they only really hide some version hints under /include and /db. |
|
|
I'd just remove them and write some small documentation on how to configure the web server not to display the contents of board-related directories and to not execute PHP code in directories where it shouldn't do so like the ones for uploaded file storage. :P |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-05-02 16:46 | flushedpancake | New Issue | |
| 2024-06-01 07:05 | miqrogroove | Note Added: 0000515 | |
| 2024-06-03 07:37 | miqrogroove | Note Added: 0000516 | |
| 2024-06-18 01:29 | flushedpancake | Note Added: 0000517 |
