Transparency re .htaccess restrictions

Steve1943 · #1 12-03-2007, 12:12 PM

I've wasted a fair bit of my time and that of Support trying to implement and debug Apache commands (via .htaccess) only to eventually discover that the cause of the unexpected results (including 500 errors) was that you have wholly or partially disabled certain functions appearing in the official Apache manuals.

Upon reqeust, Support have subsequently either unblocked the command or suggested work arounds.

I'm not suggesting that blocking the commands is necessarily a bad idea (although usually it is given how easy it is with Apache to restrict consequences to a single file, directory, user etc).

However, some publicly available documentation about what you are blocking (and why) might save users and Support a ton of time and frustration.

keyreviews · #2 12-06-2007, 05:23 AM

Which commands are you finding blocked?

Goddess Dix · #3 12-06-2007, 09:01 AM

Quote:

Originally Posted by Steve1943

However, some publicly available documentation about what you are blocking (and why) might save users and Support a ton of time and frustration.

i understand your frustration (and expectations that support should know what functions are blocked and why, which doesn't seem unreasonable).

but publically announcing exactly which functions will work and which won't is a very, very bad idea for security. the more info that's publically available on your server configuration, the easier it would be to exploit.

special · #4 12-06-2007, 10:41 PM

Quote:

Originally Posted by Goddess Dix

i understand your frustration (and expectations that support should know what functions are blocked and why, which doesn't seem unreasonable).

but publically announcing exactly which functions will work and which won't is a very, very bad idea for security. the more info that's publically available on your server configuration, the easier it would be to exploit.

Well that isent really true, if they take so much trouble to get you. They will get you even if he posts it or not. Its yust a mather of how his coding is secure and how much the target wants to attack him.

Goddess Dix · #5 12-07-2007, 08:39 AM

Quote:

Originally Posted by special

Well that isent really true, if they take so much trouble to get you. They will get you even if he posts it or not. Its yust a mather of how his coding is secure and how much the target wants to attack him.

well, actually reading the thread, one could see we were talking about hg publically posting details of their apache configuration, which would be moronic IMO.