Security question about httpd.conf AllowOverride setting

Solution 1:

Good question, and the answer is yes there is a risk here for you to evaluate. It will allow a user who has write access to a particular directory to create a .htaccess file and overwrite various settings:

  • Auth settings
  • Limits, such as IP whitelists/blacklists
  • How filetypes are handled
  • Options on that directory

So a concrete example you have setup a global whitelist for a virtual host the user could overwrite that within the directory they can write to. Or they could overwrite your global settings requiring an authorized user.

For more of what can be done, see: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride

If its not a shared system the risk is fairly minimal as typically the entire web server instance will run as the same user so this is not really about what happens if someone cracks the webserver. It could be exploited if someone can find a hole in a script you have and can write an arbitrary file, lets say you have some kind of upload interface.