[ANSWERED] Move .htaccess files in tmp folder

(Joris) #1

I’m not sure whether to post this here or to the bug tracker, but here goes:

On my installation there are two .htaccess files in my Piwik ‘tmp’ folder which are owned by the apache user:

My site runs on a shared hosting service and I’ve recently had some trouble with a security vulnerability which allowed someone to modify the contents of all .htaccess files on the server to which the apache user had write access, including those mentioned above.

If I understand correctly, combining these files into a single .htaccess which resides in …/piwik/tmp would allow me to own the .htaccess file instead of the apache user, and so reduce the chance of this happening again.

(vipsoft) #2

Piwik creates the .htaccess files once during installation. After that you can do whatever you want with them. (They aren’t regenerated or replaced by a software update.)

if you want a more robust solution, use a bootstrap.php file to move your config and tmp folders outside of your web document root. (subject to any open basedir restrictions you might have)