open directory loophole (bypasses .htaccess)

[aww]

Apparently LiteSpeed has a bug where if you know the username you can go right past any -Indexes in .htaccess

http://example.com/~username

Shows the entire folder, no matter what.

So the emulation of Apache's mod_userdir is incomplete as it obeys .htaccess in that regard

Also I'd like an option (if there is not one already) to disable the ~username ability entirely like Cpanel's mod_userdir security tweak

(seriously, if you are claiming Cpanel compatibility you should go through all their security tweaks and make sure you can emulate them?)

 

[mistwang]

This has been fixed in updated 3.1.1 release package. The "ErrorDocument" directive has been verified to be working.

 

[aww]

I am testing a .htaccess with just

ErrorDocument 403 "Forbidden"
ErrorDocument 404 "missing"

inside it. If I go to example.com/blahblah
the server stalls for a few seconds and then returns a blank page (this is in Firefox/Opera as IE can't deal with short error pages)

I assume you mean a forthcoming 3.1.1 release as the one you gave me the other day is what I am using and it does not obey ~username .htaccess

 

[mistwang]

Just download 3.1.1 package again.