.htaccess doesn't exist in Debian package and allow access to acl and users

Iñaki Baz Castillo Sun, 11 Feb 2007 11:07:22 -0800

Package: dokuwiki
Version: 0.0.20061106-1
Severity: critical


Dokuwiki 2006-11-06 from the official page [1]  contains the 
file "conf/.htacces":
 
  conf/.htaccess
   -------------------------------------
      ## no access to the conf directory
      order allow,deny
      deny from all
  ---------------------------------------

This .htaccess deny web access to files in "conf" directory (ACL's, users).

But Debian package doesn't include it in /etc/dokuwiki so any user can see the 
ACL's and user list (name, mail, role, encripted password) by accessing to:

  http://dokuwiki_base/conf
  http://dokuwiki_base/conf/acl.auth.php
  http://dokuwiki_base/conf/users.auth.php

I suggest to include the .htaccess file in /etc/dokuwiki.

Note: The issue exists too in the experimental 0.0.20061106-2 version [2].




[1] Dokuwiki official download:
http://www.splitbrain.org/projects/dokuwiki

[2] Changelog in experimental 20061106-2 version:
http://packages.debian.org/changelogs/pool/main/d/dokuwiki/dokuwiki_0.0.20061106-2/changelog

[3] Related bug in Dokuwiki bug database:
http://bugs.splitbrain.org/?do=details&id=1076


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#410557: /etc/dokuwiki/.htaccess doesn't exist in Debian package and allow access to acl and users

Reply via email to