On Sun, Feb 11, 2007 at 07:56:57PM +0100, Iñaki Baz Castillo wrote: > Dokuwiki 2006-11-06 from the official page [1] contains the > file "conf/.htacces":
> conf/.htaccess > ------------------------------------- > ## no access to the conf directory > order allow,deny > deny from all > --------------------------------------- > This .htaccess deny web access to files in "conf" directory (ACL's, users). > But Debian package doesn't include it in /etc/dokuwiki so any user can see > the > ACL's and user list (name, mail, role, encripted password) by accessing to: > http://dokuwiki_base/conf > http://dokuwiki_base/conf/acl.auth.php > http://dokuwiki_base/conf/users.auth.php > I suggest to include the .htaccess file in /etc/dokuwiki. > Note: The issue exists too in the experimental 0.0.20061106-2 version [2]. Um. Why is anything under /etc/ being exposed under the http heirarchy *at all*? Ah, that would be the link ./usr/share/dokuwiki/conf -> /etc/dokuwiki being shipped in the package, probably as a cheap workaround for a lack of config include path in the software. :/ -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
