From what I read about it, basically it lets the file types added to the handler load as cgi-script and at the same time not execute them.

Instead of executing the files it shows them as plain text in the browser.

I wonder what happens if a .php3 file is added to the upload directory. Does the script look at the file type or does it try to match the extension of the file (in which case .php3 would still be executed as php file with the above line).

Has someone tested this?

Quote:

I have this already in the .htaccess

Should I replace this with the
Quote: or add it before or after the existing .htaccess?

wtravel: Thanks. Someone earlier in this thread said he tested this and it worked.

But it only applies if the server is running Apache. Also, it requires that Apache be configured to allow the use of .htaccess files (AllowOverride); not all servers are configured that way.

my understanding is any file type in the list..

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

is assigned to CGI

and this bit

Options -ExecCGI

stops any CGI (and everything assigned) from executing.

It works for me as mentioned previously. Here's the link again for people who like reading.. http://www.askapache.com/htaccess/security-with-apache-htaccess.html#show-source-code


Dave_L,

Maybe there should be server specific versions of xoops.. ie a hardened version for Apache.. or maybe the installer could check server environment and adjust accordingly?

Complements, sugestions by Claudia.

add in folder file .htaccess



This will hinder direct that it executes archives php and js, for the URL, but it does not harm the functioning of xoops, therefore they can be called by others scripts.

Therefore normally, when hackers obtains to send archives for these folders, for some breach of security, later it needs to execute for the URL.

[pt_br]
Isso impedirá que execute arquivos php e js , direto pela url, mas n?o prejudica o funcionamento do xoops, pois eles podem ser chamados por outros scripts.

Pois normalmente, quando os hackers conseguem enviar arquivos para essas pastas, por alguma brecha de seguran?a, depois ele precisam executar pela url.
[/pt_br]