On March 5, 2012 8:32 , "Hajo Locke" <hajo.locke@xxxxxx> wrote:
ist there any possibility to hide server-status page provided by mod-status for my users? every user with .htaccess is able to use sethandler and able to view complete status.how to disable this?
Disable mod_status, or turn off .htaccess files, or disable the "FileInfo" override ("Options -FileInfo"), or don't give any access to the filesystem to anyone who you don't trust with the power to use .htaccess files.
The documentation warns about this problem: https://httpd.apache.org/docs/2.2/mod/mod_status.html says,
*It should be noted that if |mod_status <https://httpd.apache.org/docs/2.4/mod/mod_status.html>| is loaded into the server, its handler capability is available in /all/ configuration files, including /per/-directory files (/e.g./, |.htaccess|). This may have security-related ramifications for your site.*
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|