Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-16890

Edit the config sample files and web.config to deny access to the "config" directory

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Minor Minor
    • 3.3.13-RC1
    • 3.3.5
    • Documentation
    • None

      Like cache, files, images\avatars\upload, includes and store, the directory named « config » has a .htaccess file for Apache web server in the aim of denying access.

      However, config sample files for other web server (docs/lighttpd.sample.conf and docs/nginx.sample.conf) do not reflect that restriction. Only "config" PHP file is denied, not the directory. Same applies to the web.config for IIS. The config directory restriction should be added for IIS/lighttpd/nginx files.

      -  -  -  -  -  -  -

      For nginx.sample.conf, the line...

       

      location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {

       

      ...could be replaced by that one:

       

      location ~ /(config|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {
      

      The presence of config in the location denies both config directory and config.php for nginx

       

       

            Marc Marc
            Big Monstro Big Monstro
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: