> > Bug

directories _files, _rss, _settings, _tmp are not protected


May 17, 2007
May 17, 2007 / jd
Jan 5, 2009 / phsouzacruz

Attached files

No files uploaded
This task does not have any text yet.
Doubleclick here to add some.

Issue report

You can easily browse and view the content of files in this directories directly from the browser. The same thing with the other dirs but that dirs are not so critical as for me because they contain only php scripts.
I've made a quick fix with the .htaccess

from .htaccess

deny from all
and put this file in each dir (exept js and themes - they need to be not protected).
The other way to fix it is to put this code into the main .htaccess file:

from .htaccess

RewriteRule !\.(js|ico|gif|jpg|png|css)$ index.php



11 years ago

Not everyone renames htaccess.txt to .htaccess, so maybe this isn't the best solution although I do see your reasoning.
If you are familiar with Joomla! CMS you will have noticed they place a single blank index.html file into every directory in their packages/repository.

from index.html

<body bgcolor="#FFFFFF">

jd:Reply to Joomla!

11 years ago

Yes, that is the another way to fix it. It will protect dir from browsing but it does not protect from viewing the content of files.

@pixtur: by the way, it seems that current package of streber (streber_v0.08.zip) does not include any .htaccess file.


11 years ago