Hide MODX finger print “config.core.php”

[modxbot]

ox6a6e created Redmine issue ID 10343

If the root “.htaccess” is changed to

[…]
# The Friendly URLs part
RewriteCond %{REQUEST_URI} /config.core.php$ [OR]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
[...]

“config.core.php” is treated like a non-existing file.

[exside]

exside submitted:

This is my preferred way to do the same

1) be nice (but maybe unsecure, don't know...) and redirect the "hacker" to the homepage with

    # Protect files that a visitor has nothing to do with, but don't show them ugly deny messages, just redirect them to the homepage
    RedirectMatch (((.*)\.(htaccess|bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist))|config\.core\.php)$ http://www.domain.tld/

2) protect the config file with other files that should not be accessed like that:

# Block access to backup, source and config files

    Order allow,deny
    Deny from all
    Satisfy All

Unfortunately it's not possible to to both, if 2) is active you will always get the no permitted messages, so there will be no redirect (or is there a way I don't know of to be really safe and deny them anyway, but redirect them before going to the hard denying?)...

I would actually be very interested to know if 1) is really safe or not?? Any ideas?

[modxbot]

ox6a6e submitted:

Security-wise, I’d say that there’s already a problem if any of these files is visible in your web space. Nicety is no option here, go for 2).

The results are different for your suggestions and mine: 1) gives a 30x status (*) 2) gives a 50x status and in both cases it is known that there is something to hide. My change lets MODX take care of it, probably sending a 404 (custom) error page. Just the same as for non-existing files.

(*) need to check the http documentation which 30x fits this case