Bold red .htaccess warning required for admins

Message boards : Documentation : Bold red .htaccess warning required for admins
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile Ananas

Send message
Joined: 27 Jun 06
Posts: 305
Germany
Message 13715 - Posted: 10 Nov 2007, 1:32:37 UTC
Last modified: 10 Nov 2007, 1:51:40 UTC

Protect your admin stuff with .htaccess

I just found the third unprotected project management environment :-/

I'm just curious, not destructive - but others might find that stuff too.

Even if it is only a test environment, it might reveal some private informations and project settings.


p.s.: Maybe the PHP should even enforce this protection and exit immediately if it is missing, so the admins have to install it before they can do anything with their scripts. If an admin doesn't like that, he can still remove the protective lines from the PHP.
ID: 13715 · Report as offensive
Profile Ananas

Send message
Joined: 27 Jun 06
Posts: 305
Germany
Message 13725 - Posted: 10 Nov 2007, 3:04:17 UTC

if (empty ($_SERVER["REMOTE_USER"]) || empty ($_SERVER["AUTH_TYPE"]) || !file_exists(".htaccess")) {
    die ("Fix that authentication stuff before you dare to come back");
  }
ID: 13725 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 13726 - Posted: 10 Nov 2007, 3:17:49 UTC - in response to Message 13715.  

And that's misleading too. .htaccess is an inefficient way to change configuration if you have access to the main Apache config file.
ID: 13726 · Report as offensive
Profile Ananas

Send message
Joined: 27 Jun 06
Posts: 305
Germany
Message 13727 - Posted: 10 Nov 2007, 4:02:00 UTC - in response to Message 13726.  

And that's misleading too. .htaccess is an inefficient way to change configuration if you have access to the main Apache config file.


Any kind of protection will do (the snippet doesn't check for "Basic") and .htaccess should exist anyway - and be it only to set CheckSpelling Off and Options -Indexes

It's just to make the admin really be aware of the necessity for protection.
ID: 13727 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 13738 - Posted: 10 Nov 2007, 17:41:17 UTC - in response to Message 13727.  

and .htaccess should exist anyway - and be it only to set CheckSpelling Off and Options -Indexes

CheckSpelling and Options should be on the main config as well. .htaccess is only useful for shared host admins to let users change some configuration where they don't have access to the main configuration file. In all other cases, it's a good idea to set AllowOverride None so that Apache doesn't even check for the existence of a .htaccess file, making it faster (no need to search and read the file on each request).

ID: 13738 · Report as offensive
Profile Ananas

Send message
Joined: 27 Jun 06
Posts: 305
Germany
Message 13755 - Posted: 11 Nov 2007, 4:16:42 UTC - in response to Message 13738.  
Last modified: 11 Nov 2007, 4:18:39 UTC

... .htaccess is only useful for shared host admins ...


Well, that was the part I copied from the existing management scripts, so if you want to kick someone, kick the BOINC developers *g

Leave the .htaccess check away, test only the two $_SERVER elements and change the text - but the reaction should be a bold red die(), not just a thin red echo().
ID: 13755 · Report as offensive

Message boards : Documentation : Bold red .htaccess warning required for admins

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.