Afrihost Server Configuration Change

Submitted by Gomez_in_the_South on Thu, 2010-06-10 17:21

A client's website was having problems with all user uploaded images being broken. It turns out a configuration change on his server with Afrihost was conflicting with the .htaccess directive Drupal automatically adds in the /sites/default/files folder.

If you're hosting a Drupal site with Afrihost you may want to check that files in this folder are still accessible.

If you are having the same problem, look at the solution posted in this thread: http://drupal.org/node/431310#comment-2952776 (although I'm still checking if there is a security risk associated with this solution).

George

Groups:
South Africa
Login or register to post comments

Yes, there is a security risk

Roger Saner's picture
Roger Saner - Thu, 2010-06-10 19:38

Yes, there is a security risk associated with that solution. Commenting out the following in the files/.htaccess

#Options None
#Options +FollowSymLinks

allows users to upload files and then execute them (BAD!). As quicksketch said:

Basically what this exploit allowed was you could upload a file like script.php.psd. Since Apache doesn't know how to handle .psd files, it would fall back to .php. Meaning if you allowed the upload of PSD files, a user could upload a PHP script to the site, execute it, and wreck havoc. The .htaccess file prevents PHP (or any other scripts) from running within the files directory.

The long term solution is asking Afrihost to figure out what the conflict is with .htaccess, and fixing it. I'm assuming this isn't one of Afrihost's dedicated/managed servers, but a shared hosting solution? I manage 2 sites on their managed servers and we can access our files fine :)


Login or register to post comments ·