LiteSpeed Support Forums

LiteSpeed Support Forums (http://www.litespeedtech.com/support/forum/index.php)
-   Bug Reports (http://www.litespeedtech.com/support/forum/forumdisplay.php?f=9)
-   -   open directory loophole (bypasses .htaccess) (http://www.litespeedtech.com/support/forum/showthread.php?t=1034)

aww 05-07-2007 04:05 AM
open directory loophole (bypasses .htaccess)
 
Apparently LiteSpeed has a bug where if you know the username you can go right past any -Indexes in .htaccess

http://example.com/~username

Shows the entire folder, no matter what.

So the emulation of Apache's mod_userdir is incomplete as it obeys .htaccess in that regard

Also I'd like an option (if there is not one already) to disable the ~username ability entirely like Cpanel's mod_userdir security tweak

(seriously, if you are claiming Cpanel compatibility you should go through all their security tweaks and make sure you can emulate them?)

mistwang 05-07-2007 09:38 PM
This has been fixed in updated 3.1.1 release package. The "ErrorDocument" directive has been verified to be working.

aww 05-07-2007 10:23 PM
I am testing a .htaccess with just

ErrorDocument 403 "Forbidden"
ErrorDocument 404 "missing"

inside it. If I go to example.com/blahblah
the server stalls for a few seconds and then returns a blank page (this is in Firefox/Opera as IE can't deal with short error pages)

I assume you mean a forthcoming 3.1.1 release as the one you gave me the other day is what I am using and it does not obey ~username .htaccess

mistwang 05-08-2007 07:39 AM
Just download 3.1.1 package again.


All times are GMT -7. The time now is 04:21 PM.