http://<www.domain.com>/editors/htmlarea/ world readable - a problem?

**zcnb** · 1 Jul 2009, 03:02 AM

While implementing the latest security patch, I discovered that two of my subdirectories seem to be not protected by .htaccess and thus instead of producing a blank web page, it produces a "live" web page (with content, links, etc.).

The two subdirectories are:
1. /editors/htmlarea/
2. /editors/htmlarea/examples/

I checked some other zen-cart based stores on the web to see if they exhibit the same behavior and they do (i.e. this seems to be zen-cart's default, not specific to my site).

Is this a potential security problem?

Or is this by design?

Thanks.

**mprough** · 1 Jul 2009, 03:05 AM

Ideally, this folder should be no more than 755 for compliance.... At least put a blank index.html file in them.

~Melanie

**zcnb** · 1 Jul 2009, 03:14 AM

Originally Posted by mprough

Ideally, this folder should be no more than 755 for compliance.... At least put a blank index.html file in them.

These two folders do have 755 permissions. But their index.html is not blank.

I am afraid that if I put a blank index.html in them (instead of the functional ones) I may break some Zen-Cart functionality (probably in the Admin). That's why I am asking.

Pick randomly any store in the "Live Showcase Shops" section, append /editors/htmlarea/ to their base URL - and you will see a non-blank html... Is this benign?