open directory loophole (bypasses .htaccess)

Discussion in 'Bug Reports' started by aww, May 7, 2007.

  1. aww

    aww New Member

    Apparently LiteSpeed has a bug where if you know the username you can go right past any -Indexes in .htaccess

    http://example.com/~username

    Shows the entire folder, no matter what.

    So the emulation of Apache's mod_userdir is incomplete as it obeys .htaccess in that regard

    Also I'd like an option (if there is not one already) to disable the ~username ability entirely like Cpanel's mod_userdir security tweak

    (seriously, if you are claiming Cpanel compatibility you should go through all their security tweaks and make sure you can emulate them?)
  2. mistwang

    mistwang LiteSpeed Staff

    This has been fixed in updated 3.1.1 release package. The "ErrorDocument" directive has been verified to be working.
  3. aww

    aww New Member

    I am testing a .htaccess with just

    ErrorDocument 403 "Forbidden"
    ErrorDocument 404 "missing"

    inside it. If I go to example.com/blahblah
    the server stalls for a few seconds and then returns a blank page (this is in Firefox/Opera as IE can't deal with short error pages)

    I assume you mean a forthcoming 3.1.1 release as the one you gave me the other day is what I am using and it does not obey ~username .htaccess
  4. mistwang

    mistwang LiteSpeed Staff

    Just download 3.1.1 package again.

Share This Page