var .htaccess not activating - cacheleak vulnerability












1















I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.



In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.



I am running the following:



Magento 1.8.1.0
CentOS release 6.3 (Final)
PHP 5.3.3
FCGI
Apache 2.2.15


Contents of my var/.htaccess folder is:



Order Deny,Allow
Deny from all


Can someone shed some light why I am still able to access folders in my var folder?










share|improve this question














bumped to the homepage by Community 4 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

    – rob3000
    Jan 28 '16 at 0:29
















1















I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.



In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.



I am running the following:



Magento 1.8.1.0
CentOS release 6.3 (Final)
PHP 5.3.3
FCGI
Apache 2.2.15


Contents of my var/.htaccess folder is:



Order Deny,Allow
Deny from all


Can someone shed some light why I am still able to access folders in my var folder?










share|improve this question














bumped to the homepage by Community 4 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

    – rob3000
    Jan 28 '16 at 0:29














1












1








1








I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.



In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.



I am running the following:



Magento 1.8.1.0
CentOS release 6.3 (Final)
PHP 5.3.3
FCGI
Apache 2.2.15


Contents of my var/.htaccess folder is:



Order Deny,Allow
Deny from all


Can someone shed some light why I am still able to access folders in my var folder?










share|improve this question














I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.



In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.



I am running the following:



Magento 1.8.1.0
CentOS release 6.3 (Final)
PHP 5.3.3
FCGI
Apache 2.2.15


Contents of my var/.htaccess folder is:



Order Deny,Allow
Deny from all


Can someone shed some light why I am still able to access folders in my var folder?







ce-1.8.1.0 .htaccess






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 27 '16 at 21:02









abtstackabtstack

63




63





bumped to the homepage by Community 4 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 4 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

    – rob3000
    Jan 28 '16 at 0:29



















  • As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

    – rob3000
    Jan 28 '16 at 0:29

















As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

– rob3000
Jan 28 '16 at 0:29





As far as i can see the .htaccess looks fine. are you actually able to see the contents of the var folder or is just magereport saying you can?

– rob3000
Jan 28 '16 at 0:29










1 Answer
1






active

oldest

votes


















0














while .htaccess is bad in many cases, you can add this in to your apache vhost config:



<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>
Deny from all
</LocationMatch>


just make sure you pass manual test, open app and var folder in your browser.



also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read






share|improve this answer


























  • Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

    – abtstack
    Jan 28 '16 at 13:38











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "479"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f99240%2fvar-htaccess-not-activating-cacheleak-vulnerability%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














while .htaccess is bad in many cases, you can add this in to your apache vhost config:



<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>
Deny from all
</LocationMatch>


just make sure you pass manual test, open app and var folder in your browser.



also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read






share|improve this answer


























  • Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

    – abtstack
    Jan 28 '16 at 13:38
















0














while .htaccess is bad in many cases, you can add this in to your apache vhost config:



<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>
Deny from all
</LocationMatch>


just make sure you pass manual test, open app and var folder in your browser.



also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read






share|improve this answer


























  • Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

    – abtstack
    Jan 28 '16 at 13:38














0












0








0







while .htaccess is bad in many cases, you can add this in to your apache vhost config:



<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>
Deny from all
</LocationMatch>


just make sure you pass manual test, open app and var folder in your browser.



also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read






share|improve this answer















while .htaccess is bad in many cases, you can add this in to your apache vhost config:



<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>
Deny from all
</LocationMatch>


just make sure you pass manual test, open app and var folder in your browser.



also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read







share|improve this answer














share|improve this answer



share|improve this answer








edited May 23 '17 at 12:37









Community

1




1










answered Jan 28 '16 at 8:21









MagenXMagenX

1,9841024




1,9841024













  • Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

    – abtstack
    Jan 28 '16 at 13:38



















  • Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

    – abtstack
    Jan 28 '16 at 13:38

















Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

– abtstack
Jan 28 '16 at 13:38





Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.

– abtstack
Jan 28 '16 at 13:38


















draft saved

draft discarded




















































Thanks for contributing an answer to Magento Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f99240%2fvar-htaccess-not-activating-cacheleak-vulnerability%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Magento 2 controller redirect on button click in phtml file

Polycentropodidae