On March 5, 2012 8:32 , "Hajo Locke" <hajo.lo...@gmx.de> wrote:
ist there any possibility to hide server-status page provided by
mod-status for my users?
every user with .htaccess is able to use sethandler and able to view
complete status.
how to disable this?
Disable mod_status, or turn off .htaccess files, or disable the
"FileInfo" override ("Options -FileInfo"), or don't give any access to
the filesystem to anyone who you don't trust with the power to use
.htaccess files.
The documentation warns about this problem:
https://httpd.apache.org/docs/2.2/mod/mod_status.html says,
*It should be noted that if |mod_status
<https://httpd.apache.org/docs/2.4/mod/mod_status.html>| is loaded
into the server, its handler capability is available in /all/
configuration files, including /per/-directory files (/e.g./,
|.htaccess|). This may have security-related ramifications for your site.*
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
