Hello,
interesting thing here. Ist this a bug or expected?
Apache is 2.2.23
Costumer uses .htaccess which uses some SetEnvIfNoCase Directives to filter
bad bots.
the allow,deny directive is placed within a filesmatch directive.
example:
SetEnvIfNoCase user-agent hallohallo bad_bot=1
On 5 April 2013 10:44, Hajo Locke hajo.lo...@gmx.de wrote:
Hello,
interesting thing here. Ist this a bug or expected?
Apache is 2.2.23
Costumer uses .htaccess which uses some SetEnvIfNoCase Directives to
filter bad bots.
the allow,deny directive is placed within a filesmatch directive.
The regex in filesmatch Directive is quite useless but this leads to the
problem that .htaccess file can called by http in browser and shows all of
its contents.
http://example.com/.htaccess
Seems to me quite simple for a user to disclose his .htaccess contents by
simple filesmatch
