From 2e7ee22e45b8429ef9705dfeb5951f9b60f728d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Sun, 30 Nov 2008 12:13:30 +0000 Subject: [PATCH] setup/lib should be protected same way as libraries --- Documentation.html | 11 ++++++----- setup/lib/.htaccess | 3 +++ 2 files changed, 9 insertions(+), 5 deletions(-) create mode 100644 setup/lib/.htaccess diff --git a/Documentation.html b/Documentation.html index daa702fcc..d0a87af3f 100644 --- a/Documentation.html +++ b/Documentation.html @@ -298,11 +298,12 @@ chmod o-rw config.inc.php # remove world read and write permissions and your databases, or a login dialog if using HTTP or cookie authentication mode. -
  • You should deny access to the ./libraries subfolder in your - webserver configuration. For Apache you can use supplied .htaccess file - in that folder, for other webservers, you should configure this yourself. - Such configuration prevents from possible path exposure and cross side - scripting vulnerabilities that might happen to be found in that code.
    • +
  • You should deny access to the ./libraries and + ./setup/lib subfolders in your webserver configuration. For + Apache you can use supplied .htaccess file in that folder, for other + webservers, you should configure this yourself. Such configuration + prevents from possible path exposure and cross side scripting + vulnerabilities that might happen to be found in that code.
  • It is generally good idea to protect public phpMyAdmin installation against access by robots as they usually can not do anything good diff --git a/setup/lib/.htaccess b/setup/lib/.htaccess new file mode 100644 index 000000000..56baee608 --- /dev/null +++ b/setup/lib/.htaccess @@ -0,0 +1,3 @@ +# This folder does not require access over HTTP +# (the following directive denies access by default) +Order allow,deny