-
-
Notifications
You must be signed in to change notification settings - Fork 809
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/app /vendor etc. folders are accessible ! Security ? #375
Comments
Hi, I'm an NginX user and the configuration written here works well: http://docs.bolt.cm/setup I guess you use Apache and you're right we need to improve the .htaccess file I think: https://github.com/bolt/bolt/blob/master/.htaccess |
Yes i'm an Apache user :) |
Did you tried to add something like this in the .htaccess file ?
|
Not working in .htaccess file.
Thank for your help |
Hmm it's not ok lol :) |
What is the problem with those folders being accessible? Config files and the database are not accessible, php files are not a problem. What files/folders might be a problem? |
Are you sure about non-vulnerabilty in PHP files ? |
I have not checked them all no...
Might not be a bad idea? |
@richardhinkamp I think it's a good idea - let's do the same for |
Hey guys it's not working cause the css, js files in the ADMIN are called from app/ folder !!! |
Hmm except /app/view/, that contains css,js,etc |
You're right. @bobdenotter What do you think ? |
/app/classes/ also contains some files which should be accessible. This folder may need some cleanup since it contains different kind of files. |
I think we should merge in both your fixes. Richard's fix prevents all access to those folder, and @toin0u's prevents listing any other folders. I thought that directory listings were disabled by default, but it sure doesn't hurt to make sure. Thanks, both! |
Hello,
Is there an issue to securise /app and /vendor folders ? They are accessible by default !!!
Thanks !
The text was updated successfully, but these errors were encountered: