I am working on a website where I will need to use rewriting commands in .htaccess. It is not working and finally have traced the problem where I will need to set
"AllowOverride All" in my Apache httpd.conf
I am wondering if there are any security concern that I should be aware of when I change the setting from "AllowOverride None" to "AllowOverride All" ?
Thanks!
Good question, and the answer is yes there is a risk here for you to evaluate. It will allow a user who has write access to a particular directory to create a .htaccess file and overwrite various settings:
So a concrete example you have setup a global whitelist for a virtual host the user could overwrite that within the directory they can write to. Or they could overwrite your global settings requiring an authorized user.
For more of what can be done, see: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride
If its not a shared system the risk is fairly minimal as typically the entire web server instance will run as the same user so this is not really about what happens if someone cracks the webserver. It could be exploited if someone can find a hole in a script you have and can write an arbitrary file, lets say you have some kind of upload interface.