users.db and other files in var are world readable

Blount / Cheky

Alerte mail et RSS pour Leboncoin.fr

GNU General Public License v3.0

156 stars 46 forks source link

users.db and other files in var are world readable #65

Closed piem closed 6 years ago

piem commented 7 years ago

this is a security concern. all files in var/ can be accessed remotely without authentication:

$ wget -qO- https://myhost/mychekyinstall/var/users.db | wc -l
2

Blount commented 7 years ago

An .htaccess file protect this file on a Apache server. With another server (like Nginx), you need protect this folder yourself.

After check the documentation, I can see that this point is missing, sorry.

I'll write a code to check that web server does not reach any files in this folder. Thank you.

piem commented 7 years ago

i had AllowOverride None in my apache config, so .htaccess was ignored.

changing that AllowOverride Limit helps.

an example apache configuration would be welcome. something like this maybe:

    Alias /mycheckyurl/ /path/to/cheky/
    <Directory "/path/to/cheky">
        AllowOverride Limit
        AddType application/x-httpd-php .php
        Require all granted
    </Directory>

and yes, displaying a big warning if these files are accessible would be nice too :-)