jeudi 30 avril 2015

How to deny access to a directory without restricting it local?

So, I'm currently repairing an old project. Yes, It's old, ugly and unsafe, but i don't get paid to rewrite the entire thing, only to add a new function. Unfortunately, i came across a file called settings.ini and saw this:

resources.db.adapter = "mysqli" = "xxxxxxxxxx"
resources.db.param.username = "xxxxxxxxxxx"
resources.db.param.password = "xxxxxxxxxxx"
resources.db.param.dbname = "xxxxxxxxxxx"
resources.db.isDefaultTableAdapter = true

So, I tried to access them via web browser, and since it's a usual .txt file, if I know the address, I can access it from anywhere I want. I guess i don't have to mention that this is a huge risk for them. Personally, i could say that i don't care or didn't see this, but to be honest, i feel bad doing it. The problem is, I don't have access to the server where this tool is running, so i can't use the firewall to block access from outside.

My first apporach was via .htaccess, which contained the following code:

<Directory "configs">
Satisfy Any
Order Require,Allow,Deny
Require local
Deny from all

The files are in the folder configs, this is a simplified file structure:

|-- folder1
|-- folder2
|-- folder3
|-- configs
|-- .htaccess

Unfortunately, that didn't work, I still can access the file via any browser. Is there a chance to achieve this via a .htaccess file?

Aucun commentaire:

Enregistrer un commentaire