Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2020-08-19 05:30:22

Bongo-man
Member
Registered: 2009-03-18
Posts: 243

/textpattern/.htaccess internal server error

I couldn’t update from 4.7.3 to 4.8.2.
So I’ve successfully updated to 4.8.0 and then to 4.8.2, but only after removing /textpattern/.htaccess
and thanks this:
https://docs.textpattern.com/installation/troubleshooting-textpattern#internal-server-error

So I wonder about any possible security issue related to /textpattern/.htaccess deletion.
Any easy solution?
Thanks.

Last edited by Bongo-man (2020-08-19 05:30:51)

Offline

#2 2020-08-19 06:56:40

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: /textpattern/.htaccess internal server error

Bongo-man wrote #325462:

I couldn’t update from 4.7.3 to 4.8.2.
So I’ve successfully updated to 4.8.0 and then to 4.8.2, but only after removing /textpattern/.htaccess
and thanks this:
https://docs.textpattern.com/installation/troubleshooting-textpattern#internal-server-error

So I wonder about any possible security issue related to /textpattern/.htaccess deletion.
Any easy solution?
Thanks.

I think that there are two issues:

  1. The htaccess is what creates the clean urls (no security issue)
  2. I’m not sure what the svg part is doing aside from gziping

Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#3 2020-08-19 08:01:56

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,058
Website

Re: /textpattern/.htaccess internal server error

What was the content off that .htaccess file in the @/textpattern/ folder?

by the default on 4.8.+ I think this is it (see here for the default):

<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

that only prohibits displaying the file list. No security issue if this file is not there, as far as I can tell.

colak, you are talking about a different .htaccess file, the one at the root level.

Last edited by phiw13 (2020-08-19 08:07:11)


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#4 2020-08-19 08:19:43

Bongo-man
Member
Registered: 2009-03-18
Posts: 243

Re: /textpattern/.htaccess internal server error

Phiw13, you are right:

1) No clean urls issue.
2) The .htaccess is what you said.

So apparently somebody could list directory/files inside the /textpattern directory.

Thank you.

Offline

#5 2020-08-19 08:54:11

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: /textpattern/.htaccess internal server error

Bongo-man wrote #325465:

Phiw13, you are right:

1) No clean urls issue.
2) The .htaccess is what you said.

So apparently somebody could list directory/files inside the /textpattern directory.

Indeed. You can stop that by using Philippe’s snippet above. If you are still getting a 500 from that, you should definetely get in touch with your host.

Last edited by colak (2020-08-19 08:54:43)


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#6 2020-08-19 08:58:52

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: /textpattern/.htaccess internal server error

Bongo-man wrote #325465:

So apparently somebody could list directory/files inside the /textpattern directory.

How? There’s an index.php, what am I missing? Badly configured web server?

Offline

#7 2020-08-19 09:05:27

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,058
Website

Re: /textpattern/.htaccess internal server error

gaekwad wrote #325468:

How? There’s an index.php, what am I missing? Badly configured web server?

Not much. if the server is correct set up, you should hit the Textpattern log in panel. that snippet only gives additional protection if someone tries to access some nested folder, e.g /textpattern/include/, directly. Assuming there is nothing TXP does directly to catch such a visitor.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#8 2020-08-19 09:25:50

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: /textpattern/.htaccess internal server error

phiw13 wrote #325471:

Not much. if the server is correct set up, you should hit the Textpattern log in panel. that snippet only gives additional protection if someone tries to access some nested folder, e.g /textpattern/include/, directly.

Ah, yes – good point.

Offline

#9 2020-08-20 04:02:30

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: /textpattern/.htaccess internal server error

Another way to protect your txp environment is to create an empty index.html document and drop it in all folders that do not have it. Or better, create an index.html file with a link to your homepage and drop it in those directories.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

Board footer

Powered by FluxBB