mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-28 04:20:32 +02:00
Code Issues Releases Wiki Activity

Merge pull request #29 from phpbb/ticket/security-181

Browse Source 
[ticket/security-181] Harden protection of migrations files and other directories
This commit is contained in:
Marc Alexander
2017-07-16 10:59:48 +02:00
parent 0ec5e21979 1dea4625d0
commit c99820eb6b
8 changed files with 130 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
phpBB/docs/INSTALL.html
View File

@@ -148,7 +148,7 @@
<li>Oracle</li>
</ul>
</li>
<li><strong>PHP 5.3.3+</strong> and <strong>PHP < 7.0</strong> with support for the database you intend to use.</li>
<li><strong>PHP 5.3.3+</strong> and <strong>PHP &lt; 7.0</strong> with support for the database you intend to use.</li>
<li>The following PHP modules are required:
<ul>
<li>json</li>
@@ -455,9 +455,21 @@
<a name="webserver_configuration"></a><h3>6.ii. Webserver configuration</h3>
<p>Depending on your web server, you may have to configure your server to deny web access to the <code>cache/</code>, <code>files/</code>, <code>store/</code> and other directories. This is to prevent users from accessing sensitive files.</p>
<p>Depending on your web server, you may have to configure your server to deny web access to the <code>cache/</code>, <code>files/</code>, <code>includes</code>, <code>phpbb</code>, <code>store/</code>, and <code>vendor</code> directories. This is to prevent users from accessing sensitive files.</p>
<p>For <strong>Apache</strong> there are <code>.htaccess</code> files already in place to do this for you. Similarly, for <strong>Windows</strong> based servers using <strong>IIS</strong> there are <code>web.config</code> files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in <code>docs/</code> directory.</p>
<p>
For <strong>Apache</strong> there are <code>.htaccess</code> files already in place to do this for the most sensitive files and folders. We do however recommend to completely deny all access to the aforementioned folders and their respective subfolders in your Apache configuration.<br />
On Apache 2.4, denying access to the <code>phpbb</code> folder in a phpBB instance located at <code>/var/www/html/</code> would be accomplished by adding the following access rules to the Apache configuration file (typically apache.conf):
<pre>
&lt;Directory /var/www/html/phpbb/*&gt;
Require all denied
&lt;/Directory&gt;
&lt;Directory /var/www/html/phpbb>
Require all denied
&lt;/Directory&gt;</pre>
<br />
<p>The same settings can be applied to the other mentioned directories by replacing <code>phpbb</code> by the respective directory name. Please note that there are differences in syntax between Apache version <a href="https://httpd.apache.org/docs/2.2/howto/access.html">2.2</a> and <a href="https://httpd.apache.org/docs/2.4/howto/access.html">2.4</a>.</p>
<p>For <strong>Windows</strong> based servers using <strong>IIS</strong> there are <code>web.config</code> files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in the <code>docs/</code> directory.</p>
</div>

11
phpBB/docs/assets/css/stylesheet.css
View File

@@ -115,6 +115,17 @@ code {
padding: 0 4px;
}
pre {
color: #006600;
font-weight: normal;
font-family: 'Courier New', monospace;
border-color: #D1D7DC;
border-width: 1px;
border-style: solid;
background-color: #FAFAFA;
padding: 0 4px
}
#wrap {
padding: 0 20px;
min-width: 650px;

2
phpBB/docs/lighttpd.sample.conf
View File

@@ -37,7 +37,7 @@ $HTTP["host"] == "www.myforums.com" {
accesslog.filename = "/var/log/lighttpd/access-www.myforums.com.log"
# Deny access to internal phpbb files.
$HTTP["url"] =~ "^/(config\.php|common\.php|includes|cache|files|store|images/avatars/upload)" {
$HTTP["url"] =~ "^/(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor)" {
url.access-deny = ( "" )
}

2
phpBB/docs/nginx.sample.conf
View File

@@ -72,7 +72,7 @@ http {
}
# Deny access to internal phpbb files.
location ~ /(config\.php|common\.php|includes|cache|files|store|images/avatars/upload) {
location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor) {
deny all;
# deny was ignored before 0.8.40 for connections over IPv6.
# Use internal directive to prohibit access on older versions.