Hacker News new | past | comments | ask | show | jobs | submit login

What other vulnerabilities did this backwards-incompatible Apache change cause? Probably many people rely on .htaccess, for example to disable access to non-public files or disable php execution on a DIY CMS file sharing area.

Sounds like the risk from this is not widely known. Probably the correct solution for Apache would have been to detect presence of now-ignored .htaccess files and signal an error.




That was my thought as well.

I think one of the reasons nobody reported this earlier was that people simply assumed that .htaccess support was the default - Larry Cashdollar, the security researcher, also confirmed this: https://news.ycombinator.com/item?id=18271880




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: