[support] www.mysite.net security hole for mysite.net?

Laura Scott laura at pingv.com
Sat Jun 10 17:42:38 UTC 2006 

On Jun 10, 2006, at 10:41 AM, dondi_2006 wrote:

>
>> Make sure your .htaccess file is being read. Then make sure you have
>> the correct redirect command uncommented.
>
> Thanks, but.. sorry, how do I check this? I REALLY need to understand
> if what's happening is an error of mine and which one, or if it's a  
> general
> Drupa or LAMP issue/bug

.htaccess is a hidden file that is used to, among other things,  
restrict unauthorized access to the directory and all child  
directories. You can check if it's there using your sftp program (and  
make sure to enable "show hidden files" or the like, if the program  
has that option).

If you don't have it there, you can dig it out of the Drupal tarball.  
(If you're on a Mac, and haven't enabled Finder to show hidden files,  
you can find the file using TextWrangler or the like.)

>
>> If you're trying to run your www. domain as a different site than the
>> non-www. domain, then I don't know -- I've never tried that.
>
> No, that's not what I want. I want mysite.net and www.mysite.net to  
> be the
> same website. I just want to _advertise_ (when it will be ready)  
> only the
> shorter name.

In .htaccess, add this:

# 301 to redirect www.yourdomain.com to domain.com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.yourdomain.com [NC]
RewriteRule ^(.*)$ http://domain.com/$1 [L,R=301]

This will also have the effect of telling search engines to index  
your site without the www.

>
> Anyway: I have discovered two things:
>
> 1) If I click on "log out" in www.mysite.net then I don't see that
>    hole anymore, but:
>
> 2) three days ago I had created (after the admin account) a second  
> account,
>    called My_First_Name with full powers (since I read somewhere  
> it's good
>    practice to use account #1 as seldom as possible). If I log in  
> with this
>    _second_ account, I still get the page:
>
> ############################################
>
> Welcome to your new Drupal website!
>
> Please follow these steps to set up and start using your website:
>
>    1. Create your administrator account To begin, create the first  
> account. This account will have full administration rights and will  
> allow you to configure your website.
> ###################################################################
>
> if I click on "create the first account" I get an access denied  
> page, so there seems to be nothing really dangerous going on, but  
> this still seems
> very confusing, if not potentially dangerous, to me.

You get that default message until you create a post that is promoted  
to the front page. Just create a page with temp text or something,  
and that message should disappear.

Laura

More information about the support mailing list