Stop directory access
Page: 1
Recent posts in this topic
Hi
I've just installed active collab and currently it is possible to access all the directories via the web browser. Should this happen by default?
Is there any kind of newbies guide detailing how to change the permissions (i am not very expereinced with these kind of things)?
I've just installed active collab and currently it is possible to access all the directories via the web browser. Should this happen by default?
Is there any kind of newbies guide detailing how to change the permissions (i am not very expereinced with these kind of things)?
Staff
Ilija Studen
on Jul 26. 2007. 6:20 am
When you say "access all the directories via the web browser" do you mean that you get directory listings or?
activeCollab Team Member
I mean i can see all the files in each activeCollab directory (if i type their URL in), including the upload directory. What's the best way to make these secure/forbidden etc, assuming these should be forbidden?
Staff
Ilija Studen
on Jul 27. 2007. 6:40 am
activeCollab can be installed so only content of the public folder is exposed. Some hosts have following structure when you add a domain / subdomain:
my.subdomain.com/
my.subdomain.com/web
my.subdomain.com/web/public
Where only /web/public is actually accessible through the browser. You upload activeCollab in /web. That way only files from /public are available through the browser. However, this requires a separate subdomain or a domain for your installation.
Other possibility is to use .htaccess to restrict access to specific files, but I haven't played with that much. Take a look at Apache documentation for more details.
my.subdomain.com/
my.subdomain.com/web
my.subdomain.com/web/public
Where only /web/public is actually accessible through the browser. You upload activeCollab in /web. That way only files from /public are available through the browser. However, this requires a separate subdomain or a domain for your installation.
Other possibility is to use .htaccess to restrict access to specific files, but I haven't played with that much. Take a look at Apache documentation for more details.
activeCollab Team Member
Thanks for your reply.
I have a standard shared hosting account with cPanel, so my subdomains are just folders in my main directory (eg activecollab.website.com = website.com/activecollab). I imagine this to be a very average hosting setup for the normal user and small business.
So it looks like I will have to mess with .htaccess.
Do you have any plans on adding preconfigured .htaccess files with the next version? This seems to be a huge security hole, as I’ve checked activecollab installations linked from these forums, and all of them had directory listings turned on by default. So that meant I could go to their /upload directories and see all their files!
I don’t know much about .htaccess but this is what I have learnt so far.
Options –Indexes
That should turn off indexing/directory listing, so when I go to /uploads I get a “forbidden message”. Or even just putting a blank index.html in every directory might be sufficient.
I also saw reports on “filesMatch” which can be used as an extra security step to stop people accessing files they shouldn’t be, such as config.php since it contains the passwords etc. I know you shouldn’t be able to see the contents of php files normally, but I’ve seen many technical sites mention you should do this as an extra step.
For example Drupal comes with this in it’s .htaccess file (has other stuff in it too)
So that seems to turn off directory listings, and hide all the config files specific to Drupal.
Do you know if anyone on the community has made an equivalent file for activecollab?
I have a standard shared hosting account with cPanel, so my subdomains are just folders in my main directory (eg activecollab.website.com = website.com/activecollab). I imagine this to be a very average hosting setup for the normal user and small business.
So it looks like I will have to mess with .htaccess.
Do you have any plans on adding preconfigured .htaccess files with the next version? This seems to be a huge security hole, as I’ve checked activecollab installations linked from these forums, and all of them had directory listings turned on by default. So that meant I could go to their /upload directories and see all their files!
I don’t know much about .htaccess but this is what I have learnt so far.
Options –Indexes
That should turn off indexing/directory listing, so when I go to /uploads I get a “forbidden message”. Or even just putting a blank index.html in every directory might be sufficient.
I also saw reports on “filesMatch” which can be used as an extra security step to stop people accessing files they shouldn’t be, such as config.php since it contains the passwords etc. I know you shouldn’t be able to see the contents of php files normally, but I’ve seen many technical sites mention you should do this as an extra step.
For example Drupal comes with this in it’s .htaccess file (has other stuff in it too)
# Protect files and directories from prying eyes.
<FilesMatch "(\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)|code-style\.pl|Entries.*|Repository|Root|Tag|Template)$">
Order allow,deny
</FilesMatch>
# Don't show directory listings for URLs which map to a directory.
Options –Indexes
So that seems to turn off directory listings, and hide all the config files specific to Drupal.
Do you know if anyone on the community has made an equivalent file for activecollab?
Or...
since my server is setup like this "domain/public_html/activecollab/" (public_html is the document root)
Could i install the applciation, cache, config, upload etc folders a files beneath the document root at "domain/activecollab/", and then have the public folder renamed to something like activecollab and have that sit at "domain/public_html/activecollab". Are there many files that i would have to update to reflect the new folder changes?
since my server is setup like this "domain/public_html/activecollab/" (public_html is the document root)
Could i install the applciation, cache, config, upload etc folders a files beneath the document root at "domain/activecollab/", and then have the public folder renamed to something like activecollab and have that sit at "domain/public_html/activecollab". Are there many files that i would have to update to reflect the new folder changes?
Topic is locked. If you have something important to say about issues discussed on this page please write at hi@a51dev.com.
