var .htaccess not activating - cacheleak vulnerability












1















I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.



In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.



I am running the following:



Magento 1.8.1.0

CentOS release 6.3 (Final)

PHP 5.3.3

FCGI

Apache 2.2.15


Contents of my var/.htaccess folder is:



Order Deny,Allow

Deny from all


Can someone shed some light why I am still able to access folders in my var folder?






ce-1.8.1.0 .htaccess







share|improve this question














bumped to the homepage by Community 4 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

    – rob3000
    Jan 28 '16 at 0:29
















1















I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.



In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.



I am running the following:



Magento 1.8.1.0

CentOS release 6.3 (Final)

PHP 5.3.3

FCGI

Apache 2.2.15


Contents of my var/.htaccess folder is:



Order Deny,Allow

Deny from all


Can someone shed some light why I am still able to access folders in my var folder?






ce-1.8.1.0 .htaccess







share|improve this question














bumped to the homepage by Community 4 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

    – rob3000
    Jan 28 '16 at 0:29














1












1








1








I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.



In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.



I am running the following:



Magento 1.8.1.0

CentOS release 6.3 (Final)

PHP 5.3.3

FCGI

Apache 2.2.15


Contents of my var/.htaccess folder is:



Order Deny,Allow

Deny from all


Can someone shed some light why I am still able to access folders in my var folder?






ce-1.8.1.0 .htaccess







share|improve this question














I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.



In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.



I am running the following:



Magento 1.8.1.0

CentOS release 6.3 (Final)

PHP 5.3.3

FCGI

Apache 2.2.15


Contents of my var/.htaccess folder is:



Order Deny,Allow

Deny from all


Can someone shed some light why I am still able to access folders in my var folder?






ce-1.8.1.0 .htaccess




ce-1.8.1.0 .htaccess






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 27 '16 at 21:02









abtstackabtstack

63




63





bumped to the homepage by Community 4 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 4 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

    – rob3000
    Jan 28 '16 at 0:29



















  • As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

    – rob3000
    Jan 28 '16 at 0:29

















As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

– rob3000
Jan 28 '16 at 0:29





As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

– rob3000
Jan 28 '16 at 0:29










1 Answer
1






active

oldest

votes


















0














while .htaccess is bad in many cases, you can add this in to your apache vhost config:



<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>

    Deny from all

</LocationMatch>


just make sure you pass manual test, open app and var folder in your browser.



also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read






share|improve this answer


























  • Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

    – abtstack
    Jan 28 '16 at 13:38











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "479"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f99240%2fvar-htaccess-not-activating-cacheleak-vulnerability%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














while .htaccess is bad in many cases, you can add this in to your apache vhost config:



<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>

    Deny from all

</LocationMatch>


just make sure you pass manual test, open app and var folder in your browser.



also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read






share|improve this answer


























  • Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

    – abtstack
    Jan 28 '16 at 13:38
















0














while .htaccess is bad in many cases, you can add this in to your apache vhost config:



<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>

    Deny from all

</LocationMatch>


just make sure you pass manual test, open app and var folder in your browser.



also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read






share|improve this answer


























  • Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

    – abtstack
    Jan 28 '16 at 13:38














0












0








0







while .htaccess is bad in many cases, you can add this in to your apache vhost config:



<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>

    Deny from all

</LocationMatch>


just make sure you pass manual test, open app and var folder in your browser.



also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read






share|improve this answer















while .htaccess is bad in many cases, you can add this in to your apache vhost config:



<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>

    Deny from all

</LocationMatch>


just make sure you pass manual test, open app and var folder in your browser.



also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read







share|improve this answer














share|improve this answer



share|improve this answer








edited May 23 '17 at 12:37









Community

1




1










answered Jan 28 '16 at 8:21









MagenXMagenX

1,9841024




1,9841024













  • Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

    – abtstack
    Jan 28 '16 at 13:38



















  • Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

    – abtstack
    Jan 28 '16 at 13:38

















Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

– abtstack
Jan 28 '16 at 13:38





Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

– abtstack
Jan 28 '16 at 13:38


















draft saved

draft discarded




















































Thanks for contributing an answer to Magento Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f99240%2fvar-htaccess-not-activating-cacheleak-vulnerability%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Polycentropodidae

Image
Polycentropodidae Plectrocnemia conspersa Siyentipiko nga pagklasipika Ginhadi-an: Animalia Phylum: Arthropoda Ubosphylum: Hexapoda Klase: Insecta Orden: Trichoptera Labawbanay: Hydropsychoidea Banay: Polycentropodidae Binomial nga ngaran Polycentropodidae An Polycentropodidae [1] in uska familia han Insecta. An Polycentropodidae in nahilalakip ha familia nga Hydropsychoidea, ordo nga Trichoptera, classis nga Insecta, punoan nga Arthropoda, ngan regnum nga Animalia. [1] An familia nga Polycentropodidae in naglalakip hin 660 ka mga species, sumala ha Catalogue of Life [1] . An kladograma hini sumala ha Catalogue of Life [1] : Hydropsychoidea   Polycentropodidae  Adectophylax Antillopsyche Cernotina Cyrnellus Cyrnodes Cyrnopsis Cyrnus Eodipseudopsis Eoneureclipsis Holocentropus Kambaitipsyche Neucentropus
Read more

Magento 2 Error message: Invalid state change requested

Image
2 1 I've created custom Rest API for adding and removing products from cart. I am able to add and delete products from my cart, but when I log in as a customer, I can't add or delete products from cart. API throws message: Invalid state change requested. How can I solve this? magento2 share | improve this question edited Mar 15 '18 at 13:02 Bare Feet 1,561 1 7 32 asked Mar 15 '18 at 12:50 Prabhu M. Prabhu M. 18 5
Read more

Paulmy

Image
An Paulmy amo in usa ka komyun ha departamento han Indre-et-Loire ngan ha Rehiyon Sentro ha nasod han Fransya. k h l Mga komyun ha departamento han Indre-et-Loire Abilly  · Ambillou  · Amboise  · Anché  · Antogny-le-Tillac  · Artannes-sur-Indre  · Assay  · Athée-sur-Cher  · Autrèche  · Auzouer-en-Touraine  · Avoine  · Avon-les-Roches  · Avrillé-les-Ponceaux  · Azay-le-Rideau  · Azay-sur-Cher  · Azay-sur-Indre  · Ballan-Miré  · Barrou  · Beaulieu-lès-Loches  · Beaumont-en-Véron  · Beaumont-la-Ronce  · Beaumont-Village  · Benais  · Berthenay  · Betz-le-Château  · Bléré  · Bossay-sur-Claise  · Bossée  · Le Boulay  · Bourgueil  · Bournan  · Boussay  · Braslou  · Braye-sous-Faye  · Braye-sur-Maulne  · Brèches  · Bréhémont  · Bridoré  · Brizay  · Bueil-en-Touraine  · Candes-Saint-Martin  · Cangey  · La Celle-Guenand  · La Celle-Saint-Avant  · Céré-la-Ronde  · Cerelles  · Chambon  ·
Read more