From 61683f895cff778d722175a8e5ddd2a5facbc42f Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 13 Nov 2016 11:43:17 +0100 Subject: [PATCH 1/4] [ticket/security-181] Deny access to migrations folders SECURITY-181 --- phpBB/phpbb/db/migration/data/v30x/.htaccess | 33 ++++++++++++++++++++ phpBB/phpbb/db/migration/data/v310/.htaccess | 33 ++++++++++++++++++++ phpBB/phpbb/db/migration/data/v31x/.htaccess | 33 ++++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 phpBB/phpbb/db/migration/data/v30x/.htaccess create mode 100644 phpBB/phpbb/db/migration/data/v310/.htaccess create mode 100644 phpBB/phpbb/db/migration/data/v31x/.htaccess diff --git a/phpBB/phpbb/db/migration/data/v30x/.htaccess b/phpBB/phpbb/db/migration/data/v30x/.htaccess new file mode 100644 index 0000000000..44242b5418 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v30x/.htaccess @@ -0,0 +1,33 @@ +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + diff --git a/phpBB/phpbb/db/migration/data/v310/.htaccess b/phpBB/phpbb/db/migration/data/v310/.htaccess new file mode 100644 index 0000000000..44242b5418 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v310/.htaccess @@ -0,0 +1,33 @@ +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + diff --git a/phpBB/phpbb/db/migration/data/v31x/.htaccess b/phpBB/phpbb/db/migration/data/v31x/.htaccess new file mode 100644 index 0000000000..44242b5418 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v31x/.htaccess @@ -0,0 +1,33 @@ +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. + + + + Order Allow,Deny + Deny from All + + + = 2.4> + + Require all denied + + + + + + + Order Allow,Deny + Deny from All + + + + + Require all denied + + + From 7ba9b06881ddd70bd3b10e2785b91908e851cdaa Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 13 Nov 2016 11:50:23 +0100 Subject: [PATCH 2/4] [ticket/security-181] Port .htaccess changes to other webserver types SECURITY-181 --- phpBB/docs/lighttpd.sample.conf | 2 +- phpBB/docs/nginx.sample.conf | 2 +- phpBB/web.config | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/phpBB/docs/lighttpd.sample.conf b/phpBB/docs/lighttpd.sample.conf index 5b04122267..f5b509e002 100644 --- a/phpBB/docs/lighttpd.sample.conf +++ b/phpBB/docs/lighttpd.sample.conf @@ -37,7 +37,7 @@ $HTTP["host"] == "www.myforums.com" { accesslog.filename = "/var/log/lighttpd/access-www.myforums.com.log" # Deny access to internal phpbb files. - $HTTP["url"] =~ "^/(config\.php|common\.php|includes|cache|files|store|images/avatars/upload)" { + $HTTP["url"] =~ "^/(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor)" { url.access-deny = ( "" ) } diff --git a/phpBB/docs/nginx.sample.conf b/phpBB/docs/nginx.sample.conf index 2ead3552fd..bf33f4e73d 100644 --- a/phpBB/docs/nginx.sample.conf +++ b/phpBB/docs/nginx.sample.conf @@ -72,7 +72,7 @@ http { } # Deny access to internal phpbb files. - location ~ /(config\.php|common\.php|includes|cache|files|store|images/avatars/upload) { + location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor) { deny all; # deny was ignored before 0.8.40 for connections over IPv6. # Use internal directive to prohibit access on older versions. diff --git a/phpBB/web.config b/phpBB/web.config index 99a1fe6023..d0a3cb33fe 100644 --- a/phpBB/web.config +++ b/phpBB/web.config @@ -18,7 +18,10 @@ + + + From 44dd1ef9842c83f7ba4a37bf4a17489d5fe73991 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 13 Nov 2016 12:26:35 +0100 Subject: [PATCH 3/4] [ticket/security-181] Update INSTALL.html to ask for more secure apache config SECURITY-181 --- phpBB/docs/INSTALL.html | 18 +++++++++++++++--- phpBB/docs/assets/css/stylesheet.css | 11 +++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html index 9f8bbe74b8..53c18da733 100644 --- a/phpBB/docs/INSTALL.html +++ b/phpBB/docs/INSTALL.html @@ -148,7 +148,7 @@
  • Oracle
    • -
  • PHP 5.3.3+ and PHP < 7.0 with support for the database you intend to use.
    • +
  • PHP 5.3.3+ and PHP < 7.0 with support for the database you intend to use.
  • The following PHP modules are required:
    • json
      • @@ -455,9 +455,21 @@

      6.ii. Webserver configuration

      -

      Depending on your web server, you may have to configure your server to deny web access to the cache/, files/, store/ and other directories. This is to prevent users from accessing sensitive files.

      +

      Depending on your web server, you may have to configure your server to deny web access to the cache/, files/, includes, phpbb, store/, and vendor directories. This is to prevent users from accessing sensitive files.

      -

      For Apache there are .htaccess files already in place to do this for you. Similarly, for Windows based servers using IIS there are web.config files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for nginx and lighttpd to help you get started may be found in docs/ directory.

      +

      + For Apache there are .htaccess files already in place to do this for the most sensitive files and folders. We do however recommend to completely deny all access to the aforementioned folders and their respective subfolders in your Apache configuration.
      + On Apache 2.4, denying access to the phpbb folder in a phpBB instance located at /var/www/html/ would work like this: + 

      +<Directory /var/www/html/phpbb/*>
+	Require all denied
+</Directory>
+<Directory /var/www/html/phpbb>
+	Require all denied
+</Directory>
      +
      +

      The same settings can be applied to the other mentioned directories by replacing phpbb by the respective directory name. Please pay attention to the difference in syntax between Apache version 2.2 and 2.4.

      +

      For Windows based servers using IIS there are web.config files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for nginx and lighttpd to help you get started may be found in docs/ directory.

      diff --git a/phpBB/docs/assets/css/stylesheet.css b/phpBB/docs/assets/css/stylesheet.css index 192a6f9f79..c090ab7e07 100644 --- a/phpBB/docs/assets/css/stylesheet.css +++ b/phpBB/docs/assets/css/stylesheet.css @@ -115,6 +115,17 @@ code { padding: 0 4px; } +pre { + color: #006600; + font-weight: normal; + font-family: 'Courier New', monospace; + border-color: #D1D7DC; + border-width: 1px; + border-style: solid; + background-color: #FAFAFA; + padding: 0 4px +} + #wrap { padding: 0 20px; min-width: 650px; From 1dea4625d0f958787c6357bef84a6d7a5453fe5f Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 6 Jan 2017 12:27:38 +0100 Subject: [PATCH 4/4] [ticket/security-181] Update wording in INSTALL.html SECURITY-181 --- phpBB/docs/INSTALL.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html index 53c18da733..19644327c2 100644 --- a/phpBB/docs/INSTALL.html +++ b/phpBB/docs/INSTALL.html @@ -459,7 +459,7 @@

      For Apache there are .htaccess files already in place to do this for the most sensitive files and folders. We do however recommend to completely deny all access to the aforementioned folders and their respective subfolders in your Apache configuration.
      - On Apache 2.4, denying access to the phpbb folder in a phpBB instance located at /var/www/html/ would work like this: + On Apache 2.4, denying access to the phpbb folder in a phpBB instance located at /var/www/html/ would be accomplished by adding the following access rules to the Apache configuration file (typically apache.conf): 

       <Directory /var/www/html/phpbb/*>
 	Require all denied
@@ -468,8 +468,8 @@
 	Require all denied
 </Directory>

      -

      The same settings can be applied to the other mentioned directories by replacing phpbb by the respective directory name. Please pay attention to the difference in syntax between Apache version 2.2 and 2.4.

      -

      For Windows based servers using IIS there are web.config files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for nginx and lighttpd to help you get started may be found in docs/ directory.

      +

      The same settings can be applied to the other mentioned directories by replacing phpbb by the respective directory name. Please note that there are differences in syntax between Apache version 2.2 and 2.4.

      +

      For Windows based servers using IIS there are web.config files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for nginx and lighttpd to help you get started may be found in the docs/ directory.