Security rules - Githubissues

phpsysinfo / phpsysinfo

phpSysInfo: a customizable PHP script that displays information about your system nicely

http://phpsysinfo.github.io/phpsysinfo

GNU General Public License v2.0

1.38k stars 233 forks source link

Security rules #371

Closed williamdes closed 1 year ago

williamdes commented 1 year ago

What are the security rules I can put?

Here is the configurations I provided for Debian users: https://salsa.debian.org/php-team/pear/phpsysinfo/-/tree/debian/3.4.2-2/debian/conf

But maybe there is more folders and files to deny access?

namiltd commented 1 year ago

The most important is the phpsysinfo.ini file, access to which is denied in .htaccess. In addition, access to all files with the tmp and extension should be denied (most web servers have this by default). In .httaccess, files with the log extension are also blocked.

williamdes commented 1 year ago

The most important is the phpsysinfo.ini file

Perfect that I moved it to /etc/ then :)

folder data is already denied
folder gfx is for assets
folder js is for assets
folder includes is already denied
folder language <---- Can it be denied web access ?
folder plugins <---- Can it be denied web access ? (probably not because there is assets and php files in it)
folder sample is not installed
folder templates <---- Can it be denied web access ?
folder tools is not installed

namiltd commented 1 year ago

Folders language, plugins and templates can't be denied.

williamdes commented 1 year ago

Okay, thank you

namiltd commented 1 year ago

In the plugins folder only php files can be blocked