Community Support Forums

I have a fresh installation of s2Members and I just discovered that I can manually enter the url to the protected files folder where I get listing of all files and I can freely download any of them.

I see there is an .htaccess file inside but much more complex than in the first video tutorial. The deny from all line is only at the end in this context

Code: Select all

<IfModule !mod_rewrite.c>
   deny from all
</IfModule>

I throwed inside an empty index.php file to generate a 404 error instead the file listing. However a savy user can reconstruct files urls by watching the filename in the frontend and by knowing the location of protected files folder.

So I suspect that the .htaccess file is not doing the job it is supposed to do. Any idea?

For the moment I deleted the .htaccess file there with all the rewrite rules, then added a simple deby from all .htaccess file.

I restored the security of the files but I lost perhaps something related to rewrite rules.

Thanks for reporting this! I'm emailing Jason now.

Thanks for bringing this thread to my attention.
~ and thanks for reporting this important issue.

What you're seeing here is the new s2Member mod_rewrite rules for Apache. You'll find further details on this in your Dashboard, under: s2Member -> Download Options -> Advanced Mod Rewrite Linkage.


While I do see that it's possible to index this directory ( we'll have this fixed in the next release ), it should NOT be possible for these protected files to be downloaded by unauthenticated Users. Please make sure that you're not logged in when you click one of these files.

Until the directory indexing issue is corrected, you can resolve that particular issue by opening the .htaccess file in your /s2member-files/ directory, and find this line:

Code: Select all

Options +FollowSymLinks -MultiViews

Change this to, to this please:

Code: Select all

Options +FollowSymLinks -MultiViews -Indexes

If you continue to have trouble, please let us know.