Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2010-07-15] IIS allows access to various PHP scripts that shouldn't be allowed #1384

Closed
silverstripe-issues opened this issue Apr 3, 2013 · 5 comments
Closed

[2010-07-15] IIS allows access to various PHP scripts that shouldn't be allowed #1384

silverstripe-issues opened this issue Apr 3, 2013 · 5 comments
Assignees
@halkyon
Labels
complexity/low impact/medium type/bug

Comments

@silverstripe-issues
Copy link

created by: @halkyon (sharvey)
assigned to: @halkyon (sharvey)
created at: 2010-07-15
original ticket: http://open.silverstripe.org/ticket/5835

In cms, sapphire, there's an .htaccess file which blocks access to various PHP scripts for security reasons.

IIS is a popular web server, so having a web.config that does the equivalent of this out of the box might be a good idea too.

e.g. http://localhost/ss24/cms/_config.php should not be allowed on IIS.

It's unclear whether IIS supports blocking requests by extension, but there should be some sort of request filtering that could achieve the same effect as the current .htaccess files in the cms and sapphire directories.
@ghost ghost assigned halkyon Apr 3, 2013
@simonwelsh simonwelsh added this to the 3.2 milestone Mar 15, 2014
@assertchris assertchris mentioned this issue May 6, 2015
Merged
@tractorcow
Copy link
Contributor

In framework all .php files need to be whitelisted.

See https://github.com/silverstripe/silverstripe-framework/blob/3.1/web.config

We should add this to cms as well.

@tractorcow tractorcow modified the milestones: 3.1.14, 3.2.0 Jun 16, 2015
@sminnee sminnee removed this from the 3.1.14 milestone Jul 21, 2015
@dhensby
Copy link
Contributor

dhensby commented Aug 12, 2016

is this done?

@tractorcow
Copy link
Contributor

No, and this is very easily done. Triaging and assigning to v3.

@chillu
Copy link
Member

chillu commented Oct 6, 2017

Now that all core modules are placed in vendor, and vendor access is denied by default, it's only a problem for modules that haven't made the switch to silverstripe-vendormodule yet. It's still an issue for SS3. But overall, it's much lower impact now (now impact/critical)

@sminnee
Copy link
Member

sminnee commented Nov 5, 2017

I would assume that the fix or this (slated for 4.1) is to move the webroot to a subfolder. As such I think that this bug as covered by #7419 and we can close this.

@sminnee sminnee closed this as completed Nov 5, 2017
@chillu chillu mentioned this issue Nov 5, 2017
Closed
26 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@halkyon halkyon

Labels
complexity/low impact/medium type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@sminnee @chillu @simonwelsh @halkyon @dhensby @tractorcow @silverstripe-issues