Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/app /vendor etc. folders are accessible ! Security ? #375

Closed
benjbdev opened this issue Apr 22, 2013 · 14 comments
Closed

/app /vendor etc. folders are accessible ! Security ? #375

benjbdev opened this issue Apr 22, 2013 · 14 comments

Comments

@benjbdev
Copy link

Hello,
Is there an issue to securise /app and /vendor folders ? They are accessible by default !!!

Thanks !
@toin0u
Copy link
Contributor

toin0u commented Apr 23, 2013

Hi,

I'm an NginX user and the configuration written here works well: http://docs.bolt.cm/setup

I guess you use Apache and you're right we need to improve the .htaccess file I think: https://github.com/bolt/bolt/blob/master/.htaccess
With the directive maybe ? http://httpd.apache.org/docs/2.0/mod/core.html#directory

@benjbdev
Copy link
Author

Yes i'm an Apache user :)
I'm the only one to have this problem ?

@toin0u
Copy link
Contributor

toin0u commented Apr 23, 2013

Did you tried to add something like this in the .htaccess file ?

<Directory /app>
    Order Deny,Allow
    Deny from All
</Directory> 
<Directory /vendor>
    Order Deny,Allow
    Deny from All
</Directory>

@benjbdev
Copy link
Author

Not working in .htaccess file.
I put it on the httpd.conf and now it's ok. With a 404 redirection instead of a 403 .. :)

<Directory "C:/wamp/www/bolt/app">
    Order Deny,Allow
    Deny from All
</Directory>
RedirectMatch 404 ^/app(/?|/.*)$
<Directory "C:/wamp/www/bolt/vendor">
    Order Deny,Allow
    Deny from All
</Directory> 
RedirectMatch 404 ^/vendor(/?|/.*)$

Thank for your help

@benjbdev
Copy link
Author

Hmm it's not ok lol :)
Now all files like /app/view/js/bolt.js are not availables.. !

@richardhinkamp
Copy link
Contributor

What is the problem with those folders being accessible? Config files and the database are not accessible, php files are not a problem. What files/folders might be a problem?

@benjbdev
Copy link
Author

Are you sure about non-vulnerabilty in PHP files ?

@richardhinkamp
Copy link
Contributor

I have not checked them all no...
So a rewrite line like:

  RewriteRule ^vendor/(.*)?$ / [R=301,L]

Might not be a bad idea?

@toin0u
Copy link
Contributor

toin0u commented Apr 23, 2013

@richardhinkamp I think it's a good idea - let's do the same for app folder as well.

toin0u added a commit to toin0u/bolt that referenced this issue Apr 23, 2013
@toin0u
Prevent directory listing - Closes bolt#375
eeb7bd5
@benjbdev
Copy link
Author

Hey guys it's not working cause the css, js files in the ADMIN are called from app/ folder !!!

@richardhinkamp
Copy link
Contributor

Hmm except /app/view/, that contains css,js,etc

@toin0u
Copy link
Contributor

toin0u commented Apr 23, 2013

You're right.

@bobdenotter What do you think ?

@richardhinkamp richardhinkamp mentioned this issue Apr 23, 2013
Merged
@richardhinkamp
Copy link
Contributor

/app/classes/ also contains some files which should be accessible. This folder may need some cleanup since it contains different kind of files.

@bobdenotter
Copy link
Member

I think we should merge in both your fixes. Richard's fix prevents all access to those folder, and @toin0u's prevents listing any other folders. I thought that directory listings were disabled by default, but it sure doesn't hurt to make sure. Thanks, both!

This was referenced Apr 16, 2021
Open
Open
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@toin0u @richardhinkamp @bobdenotter @benjbdev