[ticket/security-181] Port .htaccess changes to other webserver types

SECURITY-181
2025-08-02 23:07:39 +02:00 · 2016-11-13 11:50:23 +01:00
parent 61683f895c
commit 7ba9b06881
3 changed files with 5 additions and 2 deletions
--- a/phpBB/docs/lighttpd.sample.conf
+++ b/phpBB/docs/lighttpd.sample.conf
@@ -37,7 +37,7 @@ $HTTP["host"] == "www.myforums.com" {
 	accesslog.filename		= "/var/log/lighttpd/access-www.myforums.com.log"
 	
 	# Deny access to internal phpbb files.	
-	$HTTP["url"] =~ "^/(config\.php|common\.php|includes|cache|files|store|images/avatars/upload)" {
+	$HTTP["url"] =~ "^/(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor)" {
 		url.access-deny = ( "" )
 	}

--- a/phpBB/docs/nginx.sample.conf
+++ b/phpBB/docs/nginx.sample.conf
@@ -72,7 +72,7 @@ http {
        }

        # Deny access to internal phpbb files.
-        location ~ /(config\.php|common\.php|includes|cache|files|store|images/avatars/upload) {
+        location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor) {
            deny all;
            # deny was ignored before 0.8.40 for connections over IPv6.
            # Use internal directive to prohibit access on older versions.
--- a/phpBB/web.config
+++ b/phpBB/web.config
@@ -18,7 +18,10 @@
 				<hiddenSegments>
 					<add segment="cache" />
 					<add segment="files" />
+					<add segment="includes" />
+					<add segment="phpbb" />
 					<add segment="store" />
+					<add segment="vendor" />
 					<add segment="config.php" />
 					<add segment="common.php" />
 				</hiddenSegments>