security hole

Post here if you found bugs.
damcool
beginner
beginner
Posts: 8
Joined: Sun Dec 11, 2011 14:59

security hole

Post by damcool » Mon Dec 12, 2011 11:12

Hi, All

I found there is security issue if we put deployment.ini under config directory. It could be accessed from web by URL http://IP/nconf/config/deployment.ini

User avatar
fgander
NConf developer
NConf developer
Posts: 308
Joined: Mon Mar 16, 2009 14:23
Location: Bern, Switzerland
Contact:

Re: security hole

Post by fgander » Mon Dec 12, 2011 23:35

Hey.

Thanks for the feedback. I added a .htaccess file to the config directory which should solve the problem.
Can you please also test that ?
I committed the file to the github: https://github.com/nconf/development/co ... 4fe2452a96
#
# NConf configuration directory protection (config/)
# Do not allow access to config files
#
Deny from All
Please be sure you copy the file into the config/ directory! (config/.htaccess) and its readable for your webserver.
Your Webserver should be configured to read the .htaccess file (Apache AllowOverride Directive)

If disabled you can enable it for this directory in your virtual host config:

Code: Select all

<Directory /var/www/html/nconf/config>
    AllowOverride All
</Directory>
F.G. - NConf developer
http://www.nconf.org
Image
Follow NConf on Twitter!

Locked