[TYPO3-dev] Info disclosure from extension folders
Steffen Kamper
steffen at dislabs.de
Thu Oct 26 01:44:36 CEST 2006
"Christian Reiter" <cr at cxd.de> schrieb im Newsbeitrag
news:mailman.1.1161810773.23662.typo3-dev at lists.netfielders.de...
> Yes, this kind of filesmatch statement is exactly what I meant. It only
> needs one entry in the httpd.conf. The Drupal example also covers CVS
> files,
> which is a good idea as they may contain interesting information
> especially
> in CVS/Root
> The same is true of .svn foolders.
> On newer versions of Apache you can use modifiers in the Filesmatch regex
> which helps with the many different spellings for "ChangeLog"
> "changelog.txt" etc.
> Moving the files around is not necessary.
>
> Greetings,
>
> Christian Reiter
>
Hi,
thx for that hint - it shows, that only a few commands can solve this
Problem. It would be nice to engeneer a FilesMatch-Statement for Typo3 and
publish.
vg Steffen
> "Christopher Torgalson" <bedlamhotel at gmail.com> schrieb im Newsbeitrag
> news:mailman.33107.1161794165.20124.typo3-dev at lists.netfielders.de...
>> On 10/25/06, Martin Kutschker <Martin.Kutschker at n0spam-blackbox.net>
> wrote:
>> > christian reiter schrieb:
>> > >
>> > > Therefore it is perhaps a good idea to configure Apache so that it
> does
>> > > not deliver this information.
>> > >
>> > > Just forbidding access to all typo3conf/ext is of course not the
> solution:)
>> > > However there is no reason why it should be possible to display the
>> > > ext_tables.sql, the changelogs etc in the browser. When people make
>> > > extensions themselves of course it also possible to find out some
>> > > information by identifiying the extension name from the comments in
> the HTML
>> > > source of a page where a plugin is located and then looking at the
>> > > ext_tables.sql, wizard_form.html... etc. - all of this information
> should
>> > > really be private.
>> >
>> > The current file system layout makes it impossible to distinguish
> between
>> > files that must be delivered by the Webserver PHP-scripts, certain
> images,
>> > CSS-files and other web resources) and other data (PHP classes, setup
> and
>> > configuration data).
>> >
>> > IMHO this should be addresses in TYPO3 5.0, but in the meantime you can
>> > hide only specific files (eg "typo3conf/localconf.php" or generic file
>> > names like "ChangeLog"), but I think it's a lot of trouble to protect
> all
>> > those files and directories with Apache directives.
>>
>> Really? Drupal's .htaccess file ships with this entry:
>>
>> <FilesMatch
> "(\.(engine|inc|install|module|sh|.*sql|theme|tpl(\.php)?|xtmpl)|code-style\
> .pl|Entries.*|Repository|Root)$">
>> Order deny,allow
>> Deny from all
>> </FilesMatch>
>>
>> ...and it works--files can be accessed by local scripts but not, as
>> far as I can see, in any other way. Did I misunderstand what you
>> meant?
>>
>>
>> --
>> Christopher Torgalson
>
>
More information about the TYPO3-dev
mailing list