View Single Post
  #397  
Old 03-28-2008, 12:01 PM
 
amadecs amadecs is offline
 

Member
  
Join Date: Jan 2008
Posts: 20
 

Default Re: XC SEO v1.1.0 Released

I have a question about the security issues that are in place foe XC SEO. There is a secure.htaccess file that comes with the module. It includes the following code...

Quote:
#####
# The following rules should be added
# to the TOP of your existing .htaccess file
# to prevent malicious users/bots from accessing
# x-cart files that aren't meant to be public.
#####

# block all smarty templates (no reason to have these exposed)
RedirectMatch gone ^/.*\.tpl$

# block all .log (log files), .sql (sql dump/export) and .conf (config files) files
# in case some day these files move to another directory
RedirectMatch gone ^.*\.(sql|log|conf)$

# block access to the 'Smarty-*' directory
RedirectMatch gone ^.*Smarty.*$

# block common X-Cart files that could reveal
# that you have X-Cart installed
RedirectMatch gone VERSION.*
RedirectMatch gone COPYRIGHT.*
RedirectMatch gone INSTALL.*
RedirectMatch gone NEW.*
RedirectMatch gone README.*
RedirectMatch gone UPGRADE.*

# block access to /upgrade
Redirect gone /upgrade

# block access to /skin1_original
Redirect gone /skin1_original

# block access to the /sql directory
Redirect gone /sql

# block access to the /shipping directory
Redirect gone /shipping

# block access to the pgp directories
Redirect gone /.pgp
Redirect gone /.pgp.def

# block access to the pgp directories
Redirect gone /tmp
Redirect gone /var

Now, I know that it's supposed block malicious bots and users, but it's actually blocking complete access regardless.

For example here is an image in my xcart subdirectory that doesn't have the secure.htaccess file:
http://www.expresscomputersystems.com/xcart/skin1/images/hdr_mnu_networking_out.jpg

Now here is the same Url minus the xcart directory where the secure.htaccess file is located.
http://www.expresscomputersystems.com/skin1/images/hdr_mnu_networking_out.jpg

So right now I'm using all of the images in my xcart/skin1 directory as opposed to the ones in my skin1.

Anybody else have this problem?
__________________
X-Cart: Version 4.1.9
Apache: Version 1.3.39 (Unix)
PHP: Version 5.2.4
Reply With Quote