directories _files, _rss, _settings, _tmp are not protected/

Summary

Statusopen

OpenedMay 17, 2007

CreatedMay 17, 2007 / jd

ModifiedMay 21, 2007 / pixtur

No files uploaded

Steps to reproduce

You can easily browse and view the content of files in this directories directly from the browser. The same thing with the other dirs but that dirs are not so critical as for me because they contain only php scripts.

Suggested Solution

I've made a quick fix with the .htaccess

from .htaccess

deny from all

and put this file in each dir (exept js and themes - they need to be not protected).
The other way to fix it is to put this code into the main .htaccess file:

from .htaccess

RewriteRule !\.(js|ico|gif|jpg|png|css)$ index.php


deizel May 17, 2007	Joomla! Not everyone renames `htaccess.txt` to `.htaccess`, so maybe this isn't the best solution although I do see your reasoning. If you are familiar with Joomla! CMS you will have noticed they place a single blank `index.html` file into every directory in their packages/repository. from index.html <html> <body bgcolor="#FFFFFF"> </body> </html>
jd May 17, 2007	Reply to Joomla! Yes, that is the another way to fix it. It will protect dir from browsing but it does not protect from viewing the content of files. @pixtur: by the way, it seems that current package of streber (streber_v0.08.zip) does not include any .htaccess file.
pixtur May 21, 2007	oh... I will add .htaccess files and empty index.html files to the hotfix.

directories _files, _rss, _settings, _tmp are not protected / #5212

Summary

Attached files

Attached files

Issue report

Issue report

3 Comments

3 Comments

Comment / Update