Download
2013-01-14, 10:36:14
There were plenty situations when temp.htaccess hasn't been renamed during installation.
If you place all deny rules within root .htaccess file, and this situation happens again, houston might get a security problem with a free access to user.xml
(this of course is still possible on non apache webservers)
Uploads and thumbs dirs might be moved to root, and deny rule might get into root htaccess (look here: http://get-simple.info/forums/showthread...3#pid31223) as it shouldn't open a security hole (as long as script file within upload/thumb dir wouldn't be executed by GS)
ps. many plugins also have deny rules in own htaccess files
Don't you think that GS should disallow accessing all mentioned dirs, and plugin files on his own, instead of basing on apache's deny mechanism ?
If you place all deny rules within root .htaccess file, and this situation happens again, houston might get a security problem with a free access to user.xml
(this of course is still possible on non apache webservers)
Uploads and thumbs dirs might be moved to root, and deny rule might get into root htaccess (look here: http://get-simple.info/forums/showthread...3#pid31223) as it shouldn't open a security hole (as long as script file within upload/thumb dir wouldn't be executed by GS)
ps. many plugins also have deny rules in own htaccess files
Don't you think that GS should disallow accessing all mentioned dirs, and plugin files on his own, instead of basing on apache's deny mechanism ?
Addons: blue business theme, Online Visitors, Notepad
