search

picocms / Pico

Pico is a stupidly simple, blazing fast, flat file CMS.
http://picocms.org/
MIT License
3.81k stars 616 forks source link

Web Root Security concerns for PicoCMS #613

Closed dawidmachon closed 2 years ago

dawidmachon commented 2 years ago

I will attach there for your investigation a small quote - (context: serving pico in web server):

image

  location ~ ^/((config|content|vendor|composer\.(json|lock|phar))(/|$)|(.+/)?\.(?!well-known(/|$))) {
      try_files /index.php$is_args$args =404;
  }

From this, it seems like your webroot is the same place as your vendor, composer.json, etc. That’s dangerous and a bad idea.

Your webroot on a modern PHP app should be in a subdirectory from that location, such as a public directory, which would contain your index.php entrypoint. Go and check: PHP Right Way

That’s unfortunate. It’s so much easier to make sure things are secured by moving the webroot to a subdirectory. It’s a big reason why legacy projects are plagued with security issues. It’s extremely difficult to correctly handle all the possible crafted requests that could allow someone to bypass request matching and get at sensitive files. The safest way is to set the webroot to something deep enough that is completely shielded from the scope of sensitive files.

The file_server directive can ensure that request paths cannot escape from the configured root, but there’s very little guarantee of safety if you’re relying on request matchers you (or anyone else) has crafted to block requests.

What do you think about that? Maybe it will be smart to rework things and repack them to subdirectory? I am not a specialist in web security, I am only pasting a clever note. ;)

PhrozenByte commented 2 years ago

Everything has advantages and disadvantages - and the primary disadvantage of a public_html folder is that it won't work on a lot of managed webhosting services, because you often can't configure the document root. That's why we can't make this the default and the reason why most CMS still use the "old" approach.

However, switching to a public_html approach for Pico is no hard thing to do, simply move index.php, plugins, themes and assets to a public_html folder and edit the paths in Pico's index.php (and possibly the paths in config/config.yml) to match your setup.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two days if no further activity occurs. Thank you for your contributions! :+1: