For all using Drupal. In June 2015 the Drupal security team has reviewed more closely this issue. Their assessment is that there is no security-related issue at all related to Drupal itself using +FollowSymlinks. They agree that switching from +FollowSymlinks to +SymlinksIfOwnerMatch in Drupal core would be a security improvement though. And that can be handled in that public ticket/issue https://www.drupal.org/node/1269780
Any volunteer for a patch to switch Drupal core from +FollowSymlinks to +SymlinksIfOwnerMatch? If easier a patch was submitted a while ago but it needs work and testing. If you’re interested to contribute I suggest to reply in the public ticket at https://www.drupal.org/node/1269780
By the way, if you’re able to demonstrate that the currently included +FollowSymlinks in Drupal version 6, 7, 8’s .htaccess file(s) makes the Drupal installation itself vulnerable to attack, the Drupal security team said they would welcome that and they would want to reopen that issue and handle that privately for security reason. Instructions to report privately are at https://www.drupal.org/node/101494 or https://security.drupal.org
security if fine, but it does not help if it makes system unuseable.
With the default setting you can’t even install the most current version of magento.
I tried today.
During installation several times the htaccess is overwritten.
Puttin +FollowSymLinks in it and stops the installer with a 500.
So I change the htaccess and reload the page. The installer detects the crash and starts all over replacing the htaccess. When I set the permission so he can’t he stops and reports an permission error.
This happens on each update you install later.
So, until Magento don’t changes this I need to go the less secure way to keep the store running at all.
Nope, I don’t like it, but there are many things I don’t like.
I have (I think) achieved a reasonably secure Magento installation by changing my Apache conf to allow FollowSymLinks, running the installer and then manually changing all the .htaccess files to SymLinksIfOwnerMatch. Of course, this needs to be repeated for every upgrade. It’s a pain but it seems to work.
Just to make sure everyone knows what needs to change for Magento if you’re moving from mod_php to fcgi style hosting… here it is. Note that it’s just two simple changes in .htaccess and media/.htaccess.
Good news for all using Drupal. A patch has been committed/pushed. This means that issue will be fixed in the next Drupal version 8 release. Yayaya Read more at https://www.virtualmin.com/node/24493#comment-156092
same problem with Joomla’s .htaccess-file (Options +FollowSymlinks).
The line just below this section: ‘Options +FollowSymLinks’ may cause problems with some server configurations.
It is required for use of mod_rewrite, but may already be set by your server administrator in a way that disallows changing it in your .htaccess file.
If using it causes your server to error out, comment it out (add # to # beginning of line), reload your site in your browser and test your sef url’s.
If they work, it has been set by your server administrator and you do not need it set here.
I found this topic, thanks google. I have a webmin server with several websites, one i want to make it with Opencart and i encounter same problems, when i leave options +followsymlinks uncommented i get server 500 errors. When i disable that option i cannot use seo url option for products links. I get some html code errors when i click products when i have seo url activated.
I tested Options +SymLinksIfOwnerMatch in htaccess but seems nothing change to website. I still cannot activate seo url.
Is there any solution ? It is weird when i activate seo url , when i click a product from category page i get a blank page with text only (no layout of product page), but when i click that product from checkout basket it opens nice with theme layout.