[#38985] - Additional Hardening
- Closed
- 18 Oct 2022
- Medium
- Build: 4.2-dev
- # 38985
- Diff
- brianteeman:patch-3
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
Prevent direct access to the administrator/cache and administrator/logs folder
It should never be directly accessed and it may contain sensitive data
This is only for apache web servers
Testing Instructions
use your web browser to access the following urls
/administrator/logs
/administrator/cache
Actual result BEFORE applying this Pull Request
empty page
Expected result AFTER applying this Pull Request
403 denied
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration |
| Labels |
Added:
?
|
||
Makes sense to me but we should also drop a web.config file in to match like we have in libraries https://github.com/joomla/joomla-cms/blob/4.2-dev/libraries/web.config
Makes sense to me but we should also drop a web.config file in to match like we have in libraries https://github.com/joomla/joomla-cms/blob/4.2-dev/libraries/web.config
dam I missed that file - updating now
When generating the assembly, directory administrator\logs is missing. I don’t know, perhaps this is how it was intended, but in this particular case, new 2 files do not get into the log directory when installing the assembly.
In addition, maybe now we will remove the junk index.html from these directories?
And 1 more bug. Install the assembly, enable standard caching in the general settings. Surf the site (create a cache). Go to clearing the cache, but at the same time keep an eye on the administrator\cache directory - when the cache is completely cleared, new files remain in place, but when clearing the OBSOLETE cache, I delete the new file web.config.
Site on Apache. I assume that the opposite file (???) will be deleted on another server.
Isnt that file deleted once you hit manually clean cache?
As mentiond by @Kostelano
but when clearing the OBSOLETE cache, I delete the new file web.config.
grrh
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-10-18 10:22:44 |
| Closed_By | ⇒ | brianteeman |
Prevent direct access to the administrator/cache and administrator/logs folder
Why not restrict this patch to just the administrator/logs folder?
Why not restrict this patch to just the administrator/logs folder?
Theoretically (not sure) this can also be a problem, similar to clearing the cache folder. There is a parameter that is responsible for the frequency of cleaning the log folder. Honestly, I did not try to see how he does it, but this point is also worth checking.
I have tested this item✅ successfully on 2216cf2
Web Server Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.1.10
No code review
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38985.