Community Support Forums

Re: Protected files are not protected by .htaccess

2011-10-27T12:42:52-05:00

Thanks for bringing this thread to my attention.
~ and thanks for reporting this important issue.

What you're seeing here is the new s2Member mod_rewrite rules for Apache. You'll find further details on this in your Dashboard, under: s2Member -> Download Options -> Advanced Mod Rewrite Linkage.

SNAG-0085.png
While I do see that it's possible to index this directory ( we'll have this fixed in the next release ), it should NOT be possible for these protected files to be downloaded by unauthenticated Users. Please make sure that you're not logged in when you click one of these files.

Until the directory indexing issue is corrected, you can resolve that particular issue by opening the .htaccess file in your /s2member-files/ directory, and find this line:

Code:: Options +FollowSymLinks -MultiViews

Change this to, to this please:

Code:: Options +FollowSymLinks -MultiViews -Indexes

If you continue to have trouble, please let us know.

Statistics: Posted by Jason Caldwell — October 27th, 2011, 12:42 pm

Re: Protected files are not protected by .htaccess

2011-10-26T23:45:42-05:00

Thanks for reporting this! I'm emailing Jason now.

Statistics: Posted by Cristián Lávaque — October 26th, 2011, 11:45 pm

Re: Protected files are not protected by .htaccess

2011-10-26T12:55:03-05:00

For the moment I deleted the .htaccess file there with all the rewrite rules, then added a simple deby from all .htaccess file.

I restored the security of the files but I lost perhaps something related to rewrite rules.

Statistics: Posted by rvencu — October 26th, 2011, 12:55 pm

Protected files are not protected by .htaccess

2011-10-26T12:16:18-05:00

I have a fresh installation of s2Members and I just discovered that I can manually enter the url to the protected files folder where I get listing of all files and I can freely download any of them.

I see there is an .htaccess file inside but much more complex than in the first video tutorial. The deny from all line is only at the end in this context

Code:: deny from all

I throwed inside an empty index.php file to generate a 404 error instead the file listing. However a savy user can reconstruct files urls by watching the filename in the frontend and by knowing the location of protected files folder.

So I suspect that the .htaccess file is not doing the job it is supposed to do. Any idea?

Statistics: Posted by rvencu — October 26th, 2011, 12:16 pm