Collaborate Disseminate
Let’s say I create a website (with apache for example) and my php pages get some sensitive information from a file on disk (a .ini file, a SQLite db or whatever).
I thought two ways to prevent users from getting to this info… Continue reading Is there any good reason to move files outside webserver document root?
New .htaccess injector threat on Joomla and WordPress websites redirects to malicious websites. Continue reading Joomla and WordPress Found Harboring Malicious Redirect Code
I’m doing some pen testing for my place of employment. I was able to grab the session id from the browser cookies, but i still cannot get past the htaccess login. I initially thought that by setting the cookie with the stolen… Continue reading Could Someone Use a Stolen Cookie Session ID to Bypass Htaccess Login?
Currently I am trying to setup my apache server for HSTS. Therefore my .htaccess looks like this:
<IfModule mod_headers.c>
Header set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Hea… Continue reading HSTS and TLS redirection: What is the correct order?
Let’s say we have a password.txt in a webdirectory that must not be leaked. Is it secure to use a RewriteRule like this?
RewriteRule “^password.txt?*” “404.html”
I tried to do something fishy like domain.com/somefile/../pa… Continue reading .htaccess rewrite rule to hide files
I run a magento shop and figured out that there is a security risk. Users can download the logfiles under /var/log/. If they go to https://www.example.com/var/log then a 404 site shows but if they know the exact name of the l… Continue reading How to prevent users to access my files?
How to redirect all ports but 443 to https 443, e.g 404 page, with htaccess please?
Why? – To disable cPanel and Webmail which is usually on ports 2096, 2083 etc. I do not use cPanel and Webmail. They have number of minor vu… Continue reading How to redirect all ports but 443 to https 443 with htaccess [closed]
AuthName “Restricted Area”
AuthType Basic
AuthUserFile /home/xxx/.htpasswd
AuthGroupFile /dev/null
require valid-user
I was trying instead of sending a “GET” a “GETS” to perform the bypass but it does not work. Should this… Continue reading Is it possible to bypass this .htaccess?
I have a client who is running a private mediaWiki site who wants to install VisualEditor extension. Currently, since it’s a private wiki, we’ll have to use configs to allow parsoid to use mediawiki API through the server’s I… Continue reading Security vulnerabilities of using parsoid on shared host with private wiki?
The flaw has existed for eight years thanks to a security change in Apache. Continue reading Thousands of Applications Vulnerable to RCE via jQuery File Upload