So, I'm currently repairing an old project. Yes, It's old, ugly and unsafe, but i don't get paid to rewrite the entire thing, only to add a new function. Unfortunately, i came across a file called
settings.ini and saw this:
;database resources.db.adapter = "mysqli" resources.db.param.host = "xxxxxxxxxx" resources.db.param.username = "xxxxxxxxxxx" resources.db.param.password = "xxxxxxxxxxx" resources.db.param.dbname = "xxxxxxxxxxx" resources.db.isDefaultTableAdapter = true
So, I tried to access them via web browser, and since it's a usual .txt file, if I know the address, I can access it from anywhere I want. I guess i don't have to mention that this is a huge risk for them. Personally, i could say that i don't care or didn't see this, but to be honest, i feel bad doing it. The problem is, I don't have access to the server where this tool is running, so i can't use the firewall to block access from outside.
My first apporach was via
.htaccess, which contained the following code:
<Directory "configs"> Satisfy Any Order Require,Allow,Deny Require local Deny from all </Directory>
The files are in the folder
configs, this is a simplified file structure:
app |-- folder1 |-- folder2 |-- folder3 |-- configs |-- .htaccess
Unfortunately, that didn't work, I still can access the file via any browser. Is there a chance to achieve this via a .htaccess file?