[Pmwiki-users] more thoughts on .htaccess
Tue Dec 7 08:28:45 CST 2004
At 2004-12-07 07:43 AM -0700, Patrick R. Michaud is rumored to have said:
>Are you sure that .htaccess is disabled? Looking at httpd.conf is
>often not sufficient, because there could be directives in other
>files included from httpd.conf that change this setting for specific
>directories. For example, under Red Hat 9 all of the *.conf files in
>/etc/httpd/conf.d are treated part of httpd.conf.
>The real way to know is to try to access a file in your local/ directory
>from a browser. For example, I have the development version of pmwiki
>installed at http://www.pmwiki.org/pmwiki2, and its local/ directory is
>*not* protected (on purpose) -- see http://www.pmwiki.org/pmwiki2/local/ .
>However, a default installation of PmWiki should have its local
>directory protected -- for example, see
> http://www.pmwiki.org/work/pmwiki/local, and
> http://www.pmwiki.org/work/pmwiki/local/config.php .
>The last two should give access denied ("Forbidden") errors, because of
>the .htaccess file in local/.
I should have been more specific. On the *Windoze* version of Apache 2, the
default install has all .htaccess files disabled. Judging by the
documentation, I would expect this to be true on any version of Apache 2.
The only "include" in the default httpd.conf file is a conditional include
of ssl.conf. I have inserted two includes of my own: one for vhosts and one
to configure mod_perl.
Clicking on your links above gave the expected results. Accessing similar
URIs on my installation gave different results:
* /pmwiki --- works
* /pmwiki/local --- gives 403 Forbidden (because I have directory listing
* /pmwiki/local/config.php --- produces an html page whose entire
contents are "<html><body></body></html>"
Given this result, what is the risk posed by having the server "execute"
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users