Skip to content
This repository has been archived by the owner on Mar 23, 2024. It is now read-only.

html/_drf/.htaccess changed #9

Open
klml opened this issue Jul 10, 2014 · 2 comments
Open

html/_drf/.htaccess changed #9

klml opened this issue Jul 10, 2014 · 2 comments
Labels

Comments

@klml
Copy link
Owner

klml commented Jul 10, 2014

There is a new file on the demo (at 18.00)

html/_drf/.htaccess.before-uberspace-change

and changed

html/_drf/.htaccess

again a change (at 18.50) in

html/_drf/.htaccess

but no diff:

[drf@grus html]$ diff .htaccess .htaccess.before-uberspace-change
[drf@grus html]$

I assume the second change reverted the first

@klml klml added the bug label Jul 10, 2014
@klml
Copy link
Owner Author

klml commented Jul 10, 2014

With known credentials (a:a) you have also access via POST to _drf

~$ curl --data "drf_sourcepath=_drf/.htaccess&content=lorem" http://a:[email protected]/_drf/make.php
[SUCCESS] written: ../_drf/.htaccess

There is still a TODO to prevent Directory traversal attack on and close edits to source _drf/lib/Tools.php#L21

@klml
Copy link
Owner Author

klml commented Jul 11, 2014

The new file was from a hoster config change: Last but not least hinterlassen wir bei einer erfolgten Änderung eine .htaccess.before-uberspace-change, ...

But the Problem is still existing, but not major.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

1 participant