var .htaccess not activating - cacheleak vulnerability
I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.
In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.
I am running the following:
Magento 1.8.1.0
CentOS release 6.3 (Final)
PHP 5.3.3
FCGI
Apache 2.2.15
Contents of my var/.htaccess folder is:
Order Deny,Allow
Deny from all
Can someone shed some light why I am still able to access folders in my var folder?
ce-1.8.1.0 .htaccess
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.
In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.
I am running the following:
Magento 1.8.1.0
CentOS release 6.3 (Final)
PHP 5.3.3
FCGI
Apache 2.2.15
Contents of my var/.htaccess folder is:
Order Deny,Allow
Deny from all
Can someone shed some light why I am still able to access folders in my var folder?
ce-1.8.1.0 .htaccess
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
As far as i can see the.htaccess
looks fine. are you actually able to see the contents of thevar
folder or is just magereport saying you can?
– rob3000
Jan 28 '16 at 0:29
add a comment |
I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.
In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.
I am running the following:
Magento 1.8.1.0
CentOS release 6.3 (Final)
PHP 5.3.3
FCGI
Apache 2.2.15
Contents of my var/.htaccess folder is:
Order Deny,Allow
Deny from all
Can someone shed some light why I am still able to access folders in my var folder?
ce-1.8.1.0 .htaccess
I recently ran a magereport.com scan on one of our magento sites and it reported a cacheleak vulnerability.
In my var folder, there is an .htaccess file but it is not activating and the vulnerability is still reported.
I am running the following:
Magento 1.8.1.0
CentOS release 6.3 (Final)
PHP 5.3.3
FCGI
Apache 2.2.15
Contents of my var/.htaccess folder is:
Order Deny,Allow
Deny from all
Can someone shed some light why I am still able to access folders in my var folder?
ce-1.8.1.0 .htaccess
ce-1.8.1.0 .htaccess
asked Jan 27 '16 at 21:02
abtstackabtstack
63
63
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
As far as i can see the.htaccess
looks fine. are you actually able to see the contents of thevar
folder or is just magereport saying you can?
– rob3000
Jan 28 '16 at 0:29
add a comment |
As far as i can see the.htaccess
looks fine. are you actually able to see the contents of thevar
folder or is just magereport saying you can?
– rob3000
Jan 28 '16 at 0:29
As far as i can see the
.htaccess
looks fine. are you actually able to see the contents of the var
folder or is just magereport saying you can?– rob3000
Jan 28 '16 at 0:29
As far as i can see the
.htaccess
looks fine. are you actually able to see the contents of the var
folder or is just magereport saying you can?– rob3000
Jan 28 '16 at 0:29
add a comment |
1 Answer
1
active
oldest
votes
while .htaccess
is bad in many cases, you can add this in to your apache vhost config:
<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>
Deny from all
</LocationMatch>
just make sure you pass manual test, open app
and var
folder in your browser.
also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read
Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.
– abtstack
Jan 28 '16 at 13:38
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "479"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f99240%2fvar-htaccess-not-activating-cacheleak-vulnerability%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
while .htaccess
is bad in many cases, you can add this in to your apache vhost config:
<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>
Deny from all
</LocationMatch>
just make sure you pass manual test, open app
and var
folder in your browser.
also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read
Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.
– abtstack
Jan 28 '16 at 13:38
add a comment |
while .htaccess
is bad in many cases, you can add this in to your apache vhost config:
<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>
Deny from all
</LocationMatch>
just make sure you pass manual test, open app
and var
folder in your browser.
also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read
Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.
– abtstack
Jan 28 '16 at 13:38
add a comment |
while .htaccess
is bad in many cases, you can add this in to your apache vhost config:
<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>
Deny from all
</LocationMatch>
just make sure you pass manual test, open app
and var
folder in your browser.
also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read
while .htaccess
is bad in many cases, you can add this in to your apache vhost config:
<LocationMatch ^/(app|downloader|pkginfo|includes|var)/>
Deny from all
</LocationMatch>
just make sure you pass manual test, open app
and var
folder in your browser.
also read this: https://stackoverflow.com/questions/11823915/htaccess-not-being-read
edited May 23 '17 at 12:37
Community♦
1
1
answered Jan 28 '16 at 8:21
MagenXMagenX
1,9841024
1,9841024
Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.
– abtstack
Jan 28 '16 at 13:38
add a comment |
Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.
– abtstack
Jan 28 '16 at 13:38
Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.
– abtstack
Jan 28 '16 at 13:38
Thanks so much ... I did add that to my vhost config when this was first noticed. The problem with that solution was no one could add items to their shopping cart. I believe that was due to the sessions being stored on the filesystem in the var folder though.
– abtstack
Jan 28 '16 at 13:38
add a comment |
Thanks for contributing an answer to Magento Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f99240%2fvar-htaccess-not-activating-cacheleak-vulnerability%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
As far as i can see the
.htaccess
looks fine. are you actually able to see the contents of thevar
folder or is just magereport saying you can?– rob3000
Jan 28 '16 at 0:29