Server error & htaccess files in second level directories

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Post Reply
10010110
Translator
Translator
Posts: 224
Joined: Tue Jan 22, 2008 9:57 am

Server error & htaccess files in second level directories

Post by 10010110 »

OK, here’s the issue: I haven’t worked with CMS made simple in a while and after finding out that an old site with CMSms 1.2.3 (or some similar version) has been hacked (the beloved iframe injection) I upgraded to the latest version. However, images wouldn’t show up anymore and after racking my brain about that I found out it’s the htaccess files in the /uploads and /images directories that give me a “500” server error when I try to load them directly by putting the image URL/path in the address bar.

I was asking my web host what we can do about it an they said that the configuration of my shared webhosting server doesn’t allow settings like in these htaccess files (i. e. these “deny phps” settings). So my question is: What’s the purpose of that anyway if I can’t even access the files directly? I understand that it must be for security reasons but that seems to go a little far. It’s like those record companies that implement a copy protection on their CDs and then they are so secure you can’t even play them anymore.

Is it OK to not have these htaccess files? Or better yet: is it possible to change it that it’s just as secure but with no server issues?

I’m thankful for anyone who can enlighten me and liberate me from the despair. It kept me busy for hours now.  :(
Top
nomikon
New Member
New Member
Posts: 7
Joined: Thu Dec 06, 2007 3:05 pm

Re: Server error & htaccess files in second level directories

Post by nomikon »

Well, I've just been in a similar situation: we have some websites built over CMS MS 1.3.1. After upgrading the first one to 1.4.1 I had the same problem with images from /uploads directory. Checking the Apache log I saw that "uploads/.htaccess: order not allowed here" message, so I checked the differences with my previous, backed-up setup and found no .htaccess file at all in uploads/.

Of course, I could make it work again inserting an "AllowOverride Limits" in the virtual server configuration, but I don't like so generic overrides, although on the other side I wanted to keep that protection (surely it was there for some reason). Finally, I added those lines to my virtual server configuration:

    # To deny PHPs
   
       
            order deny,allow
            deny from all
       
   

As far as I know, all is running fine again. Of course, if there is a better solution I'll be glad to know about it.

Regards,
NK.
Top
seliger

Re: Server error & htaccess files in second level directories

Post by seliger »

Well, I for one would like to know the "for some reason" part of adding the .htaccess restriction in /uploads.

I have a client who uploaded his custom PHPs there and he's notably *angry* that when we upgraded him to 1.4.1 that his scripts stopped working all of a sudden.

Not thinking it was a CMS issue, we spent hours crawling through configuration files, logs, etc. trying to figure out what the problem was.

If we are going to tighten up security, that is good and well, but a "WHY" is definitely needed in this case. The /uploads directory is just another directory within the grand scheme of things -- and as far as I am concerned, can be used for anything, including external PHPs.

I'm sure there are 100 reasons for the contrary, but I really need to know at least one of them.


Thanks!
Corey
Top
Post Reply

Return to “CMSMS Core”