open directory loophole (bypasses .htaccess)
Apparently LiteSpeed has a bug where if you know the username you can go right past any -Indexes in .htaccess
Shows the entire folder, no matter what.
So the emulation of Apache's mod_userdir is incomplete as it obeys .htaccess in that regard
Also I'd like an option (if there is not one already) to disable the ~username ability entirely like Cpanel's mod_userdir security tweak
(seriously, if you are claiming Cpanel compatibility you should go through all their security tweaks and make sure you can emulate them?)
This has been fixed in updated 3.1.1 release package. The "ErrorDocument" directive has been verified to be working.
I am testing a .htaccess with just
ErrorDocument 403 "Forbidden"
ErrorDocument 404 "missing"
inside it. If I go to example.com/blahblah
the server stalls for a few seconds and then returns a blank page (this is in Firefox/Opera as IE can't deal with short error pages)
I assume you mean a forthcoming 3.1.1 release as the one you gave me the other day is what I am using and it does not obey ~username .htaccess
Just download 3.1.1 package again.
|All times are GMT -7. The time now is 08:07 AM.|