Could someone please guide me with some basic security settings. I have installed a test website using version 2.3.13 on Apache2/php55, and it's working fine, but I don't understand why I can access all the files in my Elgg directories from the internet (even when not logged on).
For example:
http://my-site/vendor/elgg/elgg/README.md
and
http://my-site/mod/pages/manifest.xml
both return their contents.
Maybe it's a simple Apache2 config but It would be great if someone could point me in the right direction, and yes Restrict pages to logged-in users is set and default setting is Private.
MANY MANY THANKS!
Rich
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- rikmye@rikmye
rikmye - 0 likes
- rikmye@rikmye
rikmye - 0 likes
- iionly@iionly
iionly - 1 like
- rikmye@rikmye
rikmye - 0 likes
You must log in to post replies.some additions....
apache2.conf
<Directory /var/www/html/xxxxxxx/>
Options FollowSymLinks
AllowOverride All
Require all granted</Directory>
.htaccess
# Don't allow listing directories
Options -Indexes
# Follow symbolic links
Options +FollowSymLinks
# Default handler
DirectoryIndex index.php
RewriteEngine on
# explicity allow access for the .well-known directory
RewriteRule "^.well-known/" - [L]
# hide all dot files/dirs (.git)
RewriteRule (^\.|/\.) - [F]
well I can use the following which does stop access to these extensions, but i'm still a little uneasy about anyone having access to directories like
.../elgg-config/
.htaccess
<FilesMatch "\.(rst|MD|txt)$"> #deny these from url access
Require all denied
</FilesMatch>
thanks
The only important point is that you don't set write permission for the files/folders of the install folder of Elgg and its subfolders. The only exception might be during the installation where it would be necessary temporarily to allow for the Elgg installer creating settings.php and .htaccess. Afterwards the write permission should no longer be necessary at all as the webserver would only have to read the files and read/access the folders but not write into them.
The files you are so worried about are freely downloadable here from the site (within the zip archive) and everyone can view them also at the Elgg github repository. There's no secret in them so no harm in anyone seeing their content (which would still require knowing the full path).
Thanks iionly,
I'm played around with the RewriteCond and this seems to have sorted it out. I will need to watch it for while to see if has any knock effect to other plugins. The first line covers my homepage where there are some direct links to jpg,css files etc etc, then everything else is forced through the Elgg route.
RewriteCond %{REQUEST_URI} !^/mod/homepage_elgg/(.*)$
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?__elgg_uri=$1 [L,QSA]