(Minor) Bug in Protected Web Directories

NigelAves · June 13, 2020, 4:22pm

There’s a minor bug in the “Protected Web Directories” code. On a brand new Virtualhost I added protection to /administrator (Joomla Site). First time in this did exactly as I expected and produced in the .htaccess file:

AuthUserFile "/home/jaa/public_html/administrator/htusers"
AuthType Basic
AuthName "Bugger Off ......"
require valid-user
<Files htusers>
deny from all
</Files>

But I was using it as protection from the outside world, so I would turn “off” when I needed to work in the backend and “On” when finished. (now using mod_security)

The 2nd time you turn “on” you’ll find that Virtualmin has added to the .htaccess (three lines at top)

<Files htusers>
deny from all
</Files>
AuthUserFile "/home/jaa/public_html/administrator/htusers"
AuthType Basic
AuthName "Bugger Off ......"
require valid-user
<Files htusers>

deny from all

</Files>

… and those three lines will keep being added every time you toggle the option “Off” and “On”, so over the years, that .htaccess file became “pretty darn big!” …

adamjedgar · June 13, 2020, 7:59pm

Instead of using this , why dont you create a custom administrator url and whitelist it in the firewall to only your home/office static ip address? Its a much better option.

NigelAves · June 13, 2020, 8:36pm

Adam,

Thanks for the suggestion. I did something similar but used mod_security to only allow access from my internal network. Had a couple of friends test it for me from the outside world, and all is good.

That said ( ), it’s still a minor bug!

Kind Regards - Nigel.

adamjedgar · June 14, 2020, 7:11am

glad you got it sorted. I can appreciate your point about the htaccess file continuing to grow each time you disable and enable though…I dont understand programming so im not sure how they plan on fixing that or if it is easy to fix.

I have a thought though, what would happen if you logged in as root user and then made the htaccess file immutable? (im probably suggesting nonsense…just a thought)

chattr +i /home/jaa/public_html/administrator/htusers

Joe · June 14, 2020, 7:53am

I’ve opened a ticket for this issue at github. https://github.com/virtualmin/virtualmin-htpasswd/issues/1

system · July 14, 2020, 7:53am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.