[Pmwiki-users] more thoughts on .htaccess

Neil Herber nospam
Tue Dec 7 08:28:45 CST 2004


At 2004-12-07  07:43 AM -0700, Patrick R. Michaud is rumored to have said:
>Are you sure that .htaccess is disabled?  Looking at httpd.conf is
>often not sufficient, because there could be directives in other
>files included from httpd.conf that change this setting for specific
>directories.  For example, under Red Hat 9 all of the *.conf files in
>/etc/httpd/conf.d are treated part of httpd.conf.
>
>The real way to know is to try to access a file in your local/ directory
>from a browser.  For example, I have the development version of pmwiki
>installed at http://www.pmwiki.org/pmwiki2, and its local/ directory is
>*not* protected (on purpose) -- see http://www.pmwiki.org/pmwiki2/local/ .
>However, a default installation of PmWiki should have its local
>directory protected -- for example, see
>     http://www.pmwiki.org/work/pmwiki,
>     http://www.pmwiki.org/work/pmwiki/local, and
>     http://www.pmwiki.org/work/pmwiki/local/config.php .
>
>The last two should give access denied ("Forbidden") errors, because of
>the .htaccess file in local/.

I should have been more specific. On the *Windoze* version of Apache 2, the 
default install has all .htaccess files disabled. Judging by the 
documentation, I would expect this to be true on any version of Apache 2.

The only "include" in the default httpd.conf file is a conditional include 
of ssl.conf. I have inserted two includes of my own: one for vhosts and one 
to configure mod_perl.

Clicking on your links above gave the expected results. Accessing similar 
URIs on my installation gave different results:
* /pmwiki  --- works
* /pmwiki/local   --- gives 403 Forbidden (because I have directory listing 
disabled)
* /pmwiki/local/config.php  ---  produces an html page whose entire 
contents are "<html><body></body></html>"

Given this result, what is the risk posed by having the server "execute" 
/pmwiki/local/config.php?


Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668 




More information about the pmwiki-users mailing list