aC forum: Stop directory access

Post #6 by Joobs

Joobs — Wed, 01 Aug 2007 23:40:31 UTC

Or...

since my server is setup like this "domain/public_html/activecollab/" (public_html is the document root)

Could i install the applciation, cache, config, upload etc folders a files beneath the document root at "domain/activecollab/", and then have the public folder renamed to something like activecollab and have that sit at "domain/public_html/activecollab". Are there many files that i would have to update to reflect the new folder changes?

Post #5 by Joobs

Joobs — Wed, 01 Aug 2007 15:22:15 UTC

Thanks for your reply.

I have a standard shared hosting account with cPanel, so my subdomains are just folders in my main directory (eg activecollab.website.com = website.com/activecollab). I imagine this to be a very average hosting setup for the normal user and small business.

So it looks like I will have to mess with .htaccess.

Do you have any plans on adding preconfigured .htaccess files with the next version? This seems to be a huge security hole, as I’ve checked activecollab installations linked from these forums, and all of them had directory listings turned on by default. So that meant I could go to their /upload directories and see all their files!

I don’t know much about .htaccess but this is what I have learnt so far.

Options –Indexes
That should turn off indexing/directory listing, so when I go to /uploads I get a “forbidden message”. Or even just putting a blank index.html in every directory might be sufficient.

I also saw reports on “filesMatch” which can be used as an extra security step to stop people accessing files they shouldn’t be, such as config.php since it contains the passwords etc. I know you shouldn’t be able to see the contents of php files normally, but I’ve seen many technical sites mention you should do this as an extra step.

For example Drupal comes with this in it’s .htaccess file (has other stuff in it too)

# Protect files and directories from prying eyes.

Order allow,deny

# Don't show directory listings for URLs which map to a directory.
Options –Indexes

So that seems to turn off directory listings, and hide all the config files specific to Drupal.

Do you know if anyone on the community has made an equivalent file for activecollab?

Post #4 by Ilija Studen

Ilija Studen — Fri, 27 Jul 2007 06:40:10 UTC

activeCollab can be installed so only content of the public folder is exposed. Some hosts have following structure when you add a domain / subdomain:

my.subdomain.com/
my.subdomain.com/web
my.subdomain.com/web/public

Where only /web/public is actually accessible through the browser. You upload activeCollab in /web. That way only files from /public are available through the browser. However, this requires a separate subdomain or a domain for your installation.

Other possibility is to use .htaccess to restrict access to specific files, but I haven't played with that much. Take a look at Apache documentation for more details.

Post #3 by Joobs

Joobs — Fri, 27 Jul 2007 00:55:19 UTC

I mean i can see all the files in each activeCollab directory (if i type their URL in), including the upload directory. What's the best way to make these secure/forbidden etc, assuming these should be forbidden?

Post #2 by Ilija Studen

Ilija Studen — Thu, 26 Jul 2007 06:20:11 UTC

When you say "access all the directories via the web browser" do you mean that you get directory listings or?

Post #1 by Joobs

Joobs — Thu, 26 Jul 2007 04:38:08 UTC

Hi

I've just installed active collab and currently it is possible to access all the directories via the web browser. Should this happen by default?

Is there any kind of newbies guide detailing how to change the permissions (i am not very expereinced with these kind of things)?