-
- 1,131 Posts
Not sure if this is indeed a bug....so I figured it should go in the Core Development section. Just wondering if anyone saw this post on the Etomite forum:
http://www.etomite.org/forums/index.php?showtopic=2772
Without going into any specific details regarding this possbile threat, for security reasons, every Etomite installation using .htaccess should add the following lines to the .htaccess file in either their Etomite root directory or doc root... This issue has been brought to our attention and I have modified and tested this fix on my own server with and without FURL’s... This fix will be standard in the 0.6.1 release... These lines should be placed below RewriteEngine On...
RewriteCond %{REQUEST_URI} ^.*\.idx$
RewriteRule ^.*\.idx$ /404.html [L,QSA]
This security issue was brought to our attention by Alberto Yon Valverde Gonz?lez... Alberto states that using RewriteRule ^.*\.idx$ /404.html [F,L] as being a better rewrite rule... On my server, however, the rewrite rule that I posted above seems to process more rapidly...
Not sure what this really does...but from what I can tell, it looks like an extra rewrite rule that changes the URL of the 404 page. Probably a good idea at any rate.
Jeff
Jeff Whitfield
"I like my coffee hot and strong, like I like my women, hot and strong... with a spoon in them."
-
- 1,131 Posts
Heh heh! Figures!
Jeff Whitfield
"I like my coffee hot and strong, like I like my women, hot and strong... with a spoon in them."
-
- 19 Posts
Quote from: Bravado at Jul 12, 2005, 07:30 PM
Not sure what this really does...but from what I can tell, it looks like an extra rewrite rule that changes the URL of the 404 page. Probably a good idea at any rate.
It simply rewrites all requests for .idx files to the /404.html page.
Johnny Chadda
http://johnny.chadda.se
"This is a UNIX virus. Please remove all your files and copy this message to friends."
-
- 1,131 Posts
That’s a big "DUH!" for me! Why didn’t I think of that? At first I thought,"IDX files?". Then it dawned on me...the siteCashe.idx file! Definitely a security risk! I’d probably do the same for .pageCache files as well. Even though there really isn’t anything in them too important, doesn’t hurt to be careful.
Jeff Whitfield
"I like my coffee hot and strong, like I like my women, hot and strong... with a spoon in them."
-
- 1,732 Posts
Quote from: Bravado at Jul 13, 2005, 09:45 PM
That’s a big "DUH!" for me!? Why didn’t I think of that?? At first I thought,"IDX files?".? Then it dawned on me...the siteCashe.idx file!? Definitely a security risk!? I’d probably do the same for .pageCache files as well.? Even though there really isn’t anything in them too important, doesn’t hurt to be careful.?
Well tha’s the way to go for Linux users but what about Windows users?
The good news is that this security bug was fixed sometime ago in TP3. We have renamed the files to .php so no need for a ReWrite rule