.htaccess warning incorrect

I have recently performed all of the updates to FreePBX 12, and after running without warning for a while I am again getting the “.htaccess files are disabled on this computer”. I have verified that all instances of “AllowOverride” are set to all, and even searched to make sure that the string doesn’t exist anywhere else in any other files on the entirety of the server. What method does FreePBX use to determine this ability? I have restarted apache, php, restapps and asterisk to no effect, and ran a quick test to find that .htaccess files do, indeed, work. Rebooting the server is infeasible at this time, so that is a holy-grail that will have to wait in favor of a better answer.

This is what we do: SetEnv in the .htaccess file. I then retrieve that value through PHP. Seems to work for thousands of other people…

Just curious why this was necessary in the first place. Blanket privileges to .htaccess files can be very dangerous. For example, if an RCE exploit with a redirect to some foreign server were hidden in a (hidden) .htaccess file, it would be much more difficult to detect because all of the standard php files on the server appear to be intact. I don’t know of any system administrator that would routinely open up .htaccess files in every directory on their web server. Just my $.02.

Apache allows for decentralized management of configuration via special files placed inside the web tree. The special files are usually called .htaccess, but any name can be specified in the AccessFileName directive. Directives placed in .htaccess files apply to the directory where you place the file, and all sub-directories. The .htaccess files follow the same syntax as the main configuration files. Since .htaccess files are read on every request, changes made in these files take immediate effect.

The htaccess file in question is also monitored by the GPG check, if the file is changed an email would be sent out at night to the administrator. This was done because over the past year I went to several systems and noticed that people were fully exposing their web root to the world which means that whatever we put into htaccess was being ignored. We are not the only php package that uses htaccess files.

As for “I dont know of any system administrator that would routinely open up .htaccess files” I don’t believe you. Drupal encourages the use of their .htaccess files for rewriting (among other security related items) [https://www.drupal.org/taxonomy/term/34482]. As does wordpress [http://codex.wordpress.org/htaccess].

@wardmundy your forum software “xenforo” uses htaccess files as well (https://xenforo.com/help/friendly-urls/)

If, after enabling friendly URLs your XenForo installation does not function correctly, please contact your host to confirm that they have mod_rewrite installed and allow overrides via an .htaccess file.

If the htaccess file is properly setup and a hacker compromises said system and places a file into “images” they wouldn’t be able to execute it unless it was index.php, config.php, ajax.php.

I realize there are some people out there who think of this as some exercise in making it harder for others to use FreePBX but that is not the case. It is part of our commitment to provide better security along with the GPG checking (which has also not gone without high controversy). I’m all for making this easier but it’s like beating a dead horse now. If anyone has ideas (besides disabling allow overrides) then I am all ears.

Of note, XenForo is the only site mentioned of the above three where as disabling htaccess files breaks the entire site. You can still use Wordpress and Drupal all day long without htaccess you just dont get pretty urls and you get warnings.

Thanks for the well-reasoned explanation, Andrew.

Sorry I haven’t followed-up. I reinstalled the system status module and the warning went away. Keep up the wonderful work guys, your products rock!

As to the .htaccess discussion in general, I don’t see why there is any discussion as to the merits of using this override - it simply makes sense as a way to enforce execution and read restrictions at the daemon level. While there are more elegant and secure means, that would require more drastic changes, such as switching to Hiawatha or NgineX which raises a possibility of major resistance. There are also options to limit the overrides that .htaccess provides, if someone REALLY wants to get anal, but hopefully that would be an instance where someone would realize the stupidity of publicly exposing their PBX manager to the greater net. If anything, utilizing .htaccess is a good way to make the user ARI potentially secure enough to allow it public access, although I would still prefer to see something like having a sand-boxed environment - but that would be unreasonable to expect in the free version that most people use.

just installed raspbx on BBB
upgraded to freepbx v12
have htaccess issue
not sure how to fix it
tried ‘config edit’ in freepbx but can’t find correct file(s) to edit
i’m a windows guy, so be gentle

mark

Simply wondering as to the initial need for this. It can be quite risky to give.htaccess files blanket rights. For instance, it would be considerably more challenging to find if an RCE exploit with a redirect to a separate server were concealed in a (hidden).htaccess file because the server’s regular mysql files all seem to be in good shape. No sys admin that I am aware of would regularly open the.htaccess files in each folder on their webpage.