search

linuxserver / docker-dokuwiki

GNU General Public License v3.0
110 stars 24 forks source link

Sensitive files are exposed #33

Closed conf-test closed 3 years ago

conf-test commented 3 years ago

linuxserver.io

Some sensitive directories and files are exposed to users and can be accessed by url publicly: inc/ vendor/.htaccess.dist /bin/.htaccess /inc/.htaccess /vendor/.htaccess

Expected Behavior

All these files should not be expose as warned in https://www.dokuwiki.org/security.

Specially, the .htaccess files can be used in web-based exploitation, as mentioned in https://www.acunetix.com/vulnerabilities/web/htaccess-file-readable/. They use this file to hide malware, to redirect search engines to their own sites, and for many other purposes (hide backdoors, inject content, to modify the php.ini values, etc).

Current Behavior

These files can be accessed by url from outside users.

Steps to Reproduce

Just construct url to access these files and directories, and you can access them with 200 status returned.

Environment

OS: CPU architecture: x86_64/arm32/arm64 How docker service was installed:

From the official docker repo linuxserver/dokuwiki.

Potential Fix

Disable the access of these files and directories in access configuration of this docker image.

github-actions[bot] commented 3 years ago

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

aptalca commented 3 years ago

See message here: https://github.com/linuxserver/docker-dokuwiki/blob/master/root/defaults/default#L18-L19 and here where it gets uncommented once you go through the wizard and restart: https://github.com/linuxserver/docker-dokuwiki/blob/master/root/etc/cont-init.d/50-config#L65-L69

My guess is, you didn't go through the wizard and restart

aptalca commented 3 years ago

I guess we're just missing the vendor folder