SA-CORE-2013-003 - Files directory Not fully protected
سؤال
I'm using Pressflow
6.38 and I'm trying to implement SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities | Drupal.org inside of /etc/httpd/conf.d/pressflow.conf
configuration file, like following:
<DirectoryMatch "^/(tmp|var/www/html/current/files)">
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
</DirectoryMatch>
however still getting following message in Status Report
page:
Files directory Not fully protected
See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the files directory to help protect against arbitrary code execution.
My environment:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.8 (Santiago)
# rpm -q httpd php
httpd-2.2.15-55.el6_8.2.x86_64
php-5.3.3-48.el6_8.x86_64
#
المحلول
quote from SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities | Drupal.org:
Additionally, the .htaccess of the temporary files directory and private files directory (if used) should include this command:
Deny from all
instead of using .htaccess
inside of /tmp
directory (which can be wiped), I placed following rule inside of my pressflow.conf
:
<Directory "/tmp">
Deny from all
</Directory>
لا تنتمي إلى drupal.stackexchange