Security Fix? - My Forums

Re: Security Fix?

xwisdom — Jul 14, 2005, 12:45 AM

Quote from: Bravado at Jul 13, 2005, 09:45 PM

That’s a big "DUH!" for me!? Why didn’t I think of that?? At first I thought,"IDX files?".? Then it dawned on me...the siteCashe.idx file!? Definitely a security risk!? I’d probably do the same for .pageCache files as well.? Even though there really isn’t anything in them too important, doesn’t hurt to be careful.?

Well tha’s the way to go for Linux users but what about Windows users?

The good news is that this security bug was fixed sometime ago in TP3. We have renamed the files to .php so no need for a ReWrite rule

Re: Security Fix?

Bravado — Jul 13, 2005, 04:45 PM

That’s a big "DUH!" for me! Why didn’t I think of that? At first I thought,"IDX files?". Then it dawned on me...the siteCashe.idx file! Definitely a security risk! I’d probably do the same for .pageCache files as well. Even though there really isn’t anything in them too important, doesn’t hurt to be careful.

Re: Security Fix?

zeth — Jul 13, 2005, 07:10 AM

Quote from: Bravado at Jul 12, 2005, 07:30 PM

Not sure what this really does...but from what I can tell, it looks like an extra rewrite rule that changes the URL of the 404 page. Probably a good idea at any rate.

It simply rewrites all requests for .idx files to the /404.html page.

Re: Security Fix?

Bravado — Jul 12, 2005, 10:42 PM

Heh heh! Figures!

Re: Security Fix?

rethrash — Jul 12, 2005, 04:55 PM

Actually, I believe that was addressed in a code update long ago. Raymond is even helping the Etomite folks with a couple of other security fixes he found and fixed at the same time as this!

Security Fix?

Bravado — Jul 12, 2005, 02:30 PM

Not sure if this is indeed a bug....so I figured it should go in the Core Development section. Just wondering if anyone saw this post on the Etomite forum:

http://www.etomite.org/forums/index.php?showtopic=2772

Without going into any specific details regarding this possbile threat, for security reasons, every Etomite installation using .htaccess should add the following lines to the .htaccess file in either their Etomite root directory or doc root... This issue has been brought to our attention and I have modified and tested this fix on my own server with and without FURL’s... This fix will be standard in the 0.6.1 release... These lines should be placed below RewriteEngine On...

RewriteCond %{REQUEST_URI} ^.*\.idx$
RewriteRule ^.*\.idx$ /404.html [L,QSA]

This security issue was brought to our attention by Alberto Yon Valverde Gonz?lez... Alberto states that using RewriteRule ^.*\.idx$ /404.html [F,L] as being a better rewrite rule... On my server, however, the rewrite rule that I posted above seems to process more rapidly...

Not sure what this really does...but from what I can tell, it looks like an extra rewrite rule that changes the URL of the 404 page. Probably a good idea at any rate.

Jeff