[PHPBB3-16890] Edit the config sample files and web.config to deny access to the "config" directory

XML

Word

Printable

Details

Type: Task
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: 3.3.5
Fix Version/s: None
Component/s: Documentation
Labels:
None

Description

Like cache, files, images\avatars\upload, includes and store, the directory named « config » has a .htaccess file for Apache web server in the aim of denying access.

However, config sample files for other web server (docs/lighttpd.sample.conf and docs/nginx.sample.conf) do not reflect that restriction. Only "config" PHP file is denied, not the directory. Same applies to the web.config for IIS. The config directory restriction should be added for IIS/lighttpd/nginx files.

- - - - - - -

For nginx.sample.conf, the line...

location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {

...could be replaced by that one:

location ~ /(config|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {

The presence of config in the location denies both config directory and config.php for nginx

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Big Monstro

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 16/Oct/21 10:41 AM

Updated:: 16/Oct/21 10:42 AM