/textpattern/.htaccess internal server error

Bongo-man · 2020-08-19 05:30:22

I couldn’t update from 4.7.3 to 4.8.2.
So I’ve successfully updated to 4.8.0 and then to 4.8.2, but only after removing /textpattern/.htaccess
and thanks this:
https://docs.textpattern.com/installation/troubleshooting-textpattern#internal-server-error

So I wonder about any possible security issue related to /textpattern/.htaccess deletion.
Any easy solution?
Thanks.

Last edited by Bongo-man (2020-08-19 05:30:51)

colak · 2020-08-19 06:56:40

Bongo-man wrote #325462:

I couldn’t update from 4.7.3 to 4.8.2.
So I’ve successfully updated to 4.8.0 and then to 4.8.2, but only after removing /textpattern/.htaccess
and thanks this:
https://docs.textpattern.com/installation/troubleshooting-textpattern#internal-server-error

So I wonder about any possible security issue related to /textpattern/.htaccess deletion.
Any easy solution?
Thanks.

I think that there are two issues:

The htaccess is what creates the clean urls (no security issue)
I’m not sure what the svg part is doing aside from gziping

phiw13 · 2020-08-19 08:01:56

What was the content off that .htaccess file in the @/textpattern/ folder?

by the default on 4.8.+ I think this is it (see here for the default):

<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

that only prohibits displaying the file list. No security issue if this file is not there, as far as I can tell.

colak, you are talking about a different .htaccess file, the one at the root level.

Last edited by phiw13 (2020-08-19 08:07:11)

Bongo-man · 2020-08-19 08:19:43

Phiw13, you are right:

1) No clean urls issue.
2) The .htaccess is what you said.

So apparently somebody could list directory/files inside the /textpattern directory.

Thank you.

colak · 2020-08-19 08:54:11

Bongo-man wrote #325465:

Phiw13, you are right:

1) No clean urls issue.
2) The .htaccess is what you said.

So apparently somebody could list directory/files inside the /textpattern directory.

Indeed. You can stop that by using Philippe’s snippet above. If you are still getting a 500 from that, you should definetely get in touch with your host.

Last edited by colak (2020-08-19 08:54:43)

gaekwad · 2020-08-19 08:58:52

Bongo-man wrote #325465:

So apparently somebody could list directory/files inside the /textpattern directory.

How? There’s an index.php, what am I missing? Badly configured web server?

phiw13 · 2020-08-19 09:05:27

gaekwad wrote #325468:

How? There’s an index.php, what am I missing? Badly configured web server?

Not much. if the server is correct set up, you should hit the Textpattern log in panel. that snippet only gives additional protection if someone tries to access some nested folder, e.g /textpattern/include/, directly. Assuming there is nothing TXP does directly to catch such a visitor.

gaekwad · 2020-08-19 09:25:50

phiw13 wrote #325471:

Not much. if the server is correct set up, you should hit the Textpattern log in panel. that snippet only gives additional protection if someone tries to access some nested folder, e.g /textpattern/include/, directly.

Ah, yes – good point.

colak · 2020-08-20 04:02:30

Another way to protect your txp environment is to create an empty index.html document and drop it in all folders that do not have it. Or better, create an index.html file with a link to your homepage and drop it in those directories.

Textpattern CMS

Textpattern CMS support forum

#1 2020-08-19 05:30:22