Re: Severe security problem with eventum. - Walt Washburn - com.mysql.lists.eventum-users

8 messages in com.mysql.lists.eventum-usersRe: Severe security problem with even...

From	Sent On	Attachments
Tim Uckun	22 Feb 2006 13:29
Bryan Alsdorf	22 Feb 2006 13:37
Lamont R. Peterson	22 Feb 2006 13:55
Joao Prado Maia	22 Feb 2006 14:13
Lamont R. Peterson	22 Feb 2006 14:20
Walt Washburn	22 Feb 2006 14:22
Joao Prado Maia	22 Feb 2006 14:27
Lamont R. Peterson	22 Feb 2006 15:02

Subject:	Re: Severe security problem with eventum.
From:	Walt Washburn (walt...@gmail.com)
Date:	02/22/2006 02:22:55 PM
List:	com.mysql.lists.eventum-users

A couple of quick adds to these excellent suggestions:

1) Just remember that the cost of .htaccess files is that Apache will parse them with every single directory access, vs configs in the httpd.conf file. Not a big cost on the margin, but if you're site is busy it adds up to finite costs.

2) Remember that Directory, Location, and Files directives are absolute and not relative to DocumentRoot or ServerRoot

Thanks all for the thread.

Walt

On 2/22/06, Joao Prado Maia <jp...@alertlogic.net> wrote:

Bryan,

In Eventum 2.0 we will be changing the directory structure to locate logs, include files, etc in a directory not under the webroot. The current structure is in place to make Eventum easy to install.

You could also add a pre-made .htaccess file to the directories that shouldn't be visible to the Eventum distribution, and that would be a nice-to-have feature while 2.0 is not ready yet.

--Joao