Afrihost Server Configuration Change

Events happening in the community are now at Drupal community events on www.drupal.org.
gomez_in_the_south's picture
Posted by gomez_in_the_south on June 10, 2010 at 5:21pm

A client's website was having problems with all user uploaded images being broken. It turns out a configuration change on his server with Afrihost was conflicting with the .htaccess directive Drupal automatically adds in the /sites/default/files folder.

If you're hosting a Drupal site with Afrihost you may want to check that files in this folder are still accessible.

If you are having the same problem, look at the solution posted in this thread: http://drupal.org/node/431310#comment-2952776 (although I'm still checking if there is a security risk associated with this solution).

George

Categories:

Comments

Yes, there is a security risk

Posted by burningdog on June 10, 2010 at 7:38pm
burningdog's picture

Yes, there is a security risk associated with that solution. Commenting out the following in the files/.htaccess

#Options None
#Options +FollowSymLinks

allows users to upload files and then execute them (BAD!). As quicksketch said:

Basically what this exploit allowed was you could upload a file like script.php.psd. Since Apache doesn't know how to handle .psd files, it would fall back to .php. Meaning if you allowed the upload of PSD files, a user could upload a PHP script to the site, execute it, and wreck havoc. The .htaccess file prevents PHP (or any other scripts) from running within the files directory.

The long term solution is asking Afrihost to figure out what the conflict is with .htaccess, and fixing it. I'm assuming this isn't one of Afrihost's dedicated/managed servers, but a shared hosting solution? I manage 2 sites on their managed servers and we can access our files fine :)

South Africa

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week

See all hot content.