You would need to put the restrictions in the global section outside of the virtualhost sections to deal with this.
On 2020-02-23 00:15, Trevor Cordes wrote:
Doh. I can also confirm that you can exploit this "flaw" to read any file in /var/www/html and its subdirs even if other virthost <Location> and <Directory> rules forbid it. Further, php files get spit out verbatim (as source) without execution. However, you have to guess the exact file paths/names. Luckily I had dirindexes turned off globally!
I guess the moral of the story is global docroot should never point to anywhere that has real files when you use virthosts for everything. However, once I change global docroot, I'll have to make sure every global setting that applies to docroot and below will be duplicated in the virthosts, as they may no longer apply to the subdirs... I'll have to look into that.
Also, having all dir definitions outside of virthosts would have helped. I like to keep things nested though as it makes more sense to me to have dirs inside the only virthosts they can be accessed by.
All this plus the explicit listens on only certain IPs has solved it. Plus, I realized that newer apaches added support for adding "https" to the end of a Listen to force that Listen line (port) to only talk https and not allow it to pretend it's port 80. _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable