Like cache, files, images\avatars\upload, includes and store, the directory named « config » has a .htaccess file for Apache web server in the aim of denying access.

However, config sample files for other web server (docs/lighttpd.sample.conf and docs/nginx.sample.conf) do not reflect that restriction. Only "config" PHP file is denied, not the directory. Same applies to the web.config for IIS. The config directory restriction should be added for IIS/lighttpd/nginx files.

-  -  -  -  -  -  -

For nginx.sample.conf, the line...

location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {

...could be replaced by that one:

location ~ /(config|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {

The presence of config in the location denies both config directory and config.php for nginx