PriMoThemes — now s2Member® (official notice)

This is now a very OLD forum system. It's in READ-ONLY mode.
All community interaction now occurs at WP Sharks™. See: new forums @ WP Sharks™

Community Support Forums

— WordPress® ( Users Helping Users ) —

Skip to content

Protected files are not protected by .htaccess

s2Member Plugin. A Membership plugin for WordPress®.
Post a reply

Protected files are not protected by .htaccess

Postby rvencu » October 26th, 2011, 12:16 pm

I have a fresh installation of s2Members and I just discovered that I can manually enter the url to the protected files folder where I get listing of all files and I can freely download any of them.

I see there is an .htaccess file inside but much more complex than in the first video tutorial. The deny from all line is only at the end in this context

Code: Select all
<IfModule !mod_rewrite.c>
   deny from all
</IfModule>


I throwed inside an empty index.php file to generate a 404 error instead the file listing. However a savy user can reconstruct files urls by watching the filename in the frontend and by knowing the location of protected files folder.

So I suspect that the .htaccess file is not doing the job it is supposed to do. Any idea?
User avatar
rvencu
Registered User
Registered User
 
Posts: 7
Joined: October 25, 2011
Top

Re: Protected files are not protected by .htaccess

Postby rvencu » October 26th, 2011, 12:55 pm

For the moment I deleted the .htaccess file there with all the rewrite rules, then added a simple deby from all .htaccess file.

I restored the security of the files but I lost perhaps something related to rewrite rules.
User avatar
rvencu
Registered User
Registered User
 
Posts: 7
Joined: October 25, 2011
Top

Re: Protected files are not protected by .htaccess

Postby Cristián Lávaque » October 26th, 2011, 11:45 pm

Thanks for reporting this! I'm emailing Jason now.
Cristián Lávaque http://s2member.net
Is s2Member working for you? Please rate it Image at WordPress.org. Thanks! :)
User avatar
Cristián Lávaque
Developer
Developer
 
Posts: 6836
Joined: December 22, 2010
Top

Re: Protected files are not protected by .htaccess

Postby Jason Caldwell » October 27th, 2011, 12:42 pm

Thanks for bringing this thread to my attention.
~ and thanks for reporting this important issue.

What you're seeing here is the new s2Member mod_rewrite rules for Apache. You'll find further details on this in your Dashboard, under: s2Member -> Download Options -> Advanced Mod Rewrite Linkage.

SNAG-0085.png

While I do see that it's possible to index this directory ( we'll have this fixed in the next release ), it should NOT be possible for these protected files to be downloaded by unauthenticated Users. Please make sure that you're not logged in when you click one of these files.

Until the directory indexing issue is corrected, you can resolve that particular issue by opening the .htaccess file in your /s2member-files/ directory, and find this line:
Code: Select all
Options +FollowSymLinks -MultiViews
Change this to, to this please:
Code: Select all
Options +FollowSymLinks -MultiViews -Indexes

If you continue to have trouble, please let us know.
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/
Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA
Top
Post a reply

Return to s2Member Plugin

Who is online

Users browsing this forum: Yahoo [Bot] and 1 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
cron