Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: htaccess inside data folder #1700

Open
PeopleInside opened this issue May 22, 2018 · 3 comments

Comments

@PeopleInside
Copy link

commented May 22, 2018

RainLoop version, browser, OS:

CentOs - Firefox

Expected behavior and actual behavior:

The default content of .htaccess inside is not protecting if the Apache version is 2.4 (modern)

Steps to reproduce the problem:

By default install you will get an alert in the admin panel that alert you the data folder si not secure (readable), the documentation doesn't help to fix this for Apache.
https://www.rainloop.net/docs/installation/

Solution for Apache 2.4 is replace or just add the content inside .htaccess

deny from all

with

Require all denied

also the guide should be updated with information about how to solve the issue on Apache.

@universalhandle

This comment has been minimized.

Copy link

commented Jun 5, 2018

For what it's worth, when I downloaded it via wget https://www.rainloop.net/repository/webmail/rainloop-community-latest.zip (version 1.12.0), the zip contained no .htaccess files at all.

@PeopleInside

This comment has been minimized.

Copy link
Author

commented Jun 5, 2018

Seems topic on GitHub and also email to support are no more replied... maybe the owner is busy but i am asking about the security of the product... also maybe will be important consider if there are an issue no one will reply. Maybe... from what I can see. I tried to send an email to support many days ago and no replies, also here on GitHub I cannot see big replies activity.

Sad to see this because the software looks like to be nice and good. I do not know how much secure is.

@ThomasEBoland

This comment has been minimized.

Copy link

commented Aug 17, 2018

Two months later, same problem exists in aws instance of Ubuntu 18.04.1 with Apache 2.4. No .htaccess files in community-latest.zip downloaded and installed today. I got around it by adding

  <Directory "/var/www/rainloop/data" >
    Require all denied
  </Directory>

in my /etc/apache2/sites-available/000.conf. I could have used .htaccess, I choose to use the conf file instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.