Before asking for help please read "Requesting Help and Suggestions" by clicking on that tab above here.
  • Page:
  • 1

TOPIC:

Security problem 2 weeks 2 days ago #1

  • Michael12
  • Michael12's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4
Hi everyone!
I installed webtree version 2.0.15.
When im open www.domain.com/data/config.ini.php and i see semicolon.
I read in the documentation that this means I have no protection.
When i changed permissions for folder data on 700 (chmod -R 700 data).
but i keep getting semicolon.

I use:
PHP Version 7.4.3
Nginx, Ubuntu on virtual server (digital ocean).

What i do wrong? What i need to do?

Please Log in or Create an account to join the conversation.

Security problem 2 weeks 2 days ago #2

  • Franz Frese
  • Franz Frese's Avatar
  • Offline
  • New Member
  • New Member
  • Posts: 61
I do not believe that you called domain.com .
What is your domain?

Please Log in or Create an account to join the conversation.

Security problem 2 weeks 2 days ago #3

  • fisharebest
  • fisharebest's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 14403
> I read in the documentation that this means I have no protection.

This means that the files in the /data folder are accessible directly.

This includes your GEDCOM files, your media files, etc.

In the /data folder, you will find a file called .htaccess.

This contains instructions for apache to hide the folder. But either

1) you do not use apache
2) your server does not use .htaccess files.

So, you must relocate this folder. Choose a folder at the same level as your webtrees installation.
e.g. "webtrees-data".

Move the GEDCOM files and the /media/ folder from /data to your new folder.
In the control panel / site preferences, there is a setting "data folder".

Change this from "data/" to "../webtrees-data".
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

Security problem 2 weeks 2 days ago #4

  • fisharebest
  • fisharebest's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 14403
Alternatively, for nginx users, look at the example here:
webtrees.net/faq/urls/
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

Security problem 1 week 5 days ago #5

  • Michael12
  • Michael12's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4

Alternatively, for nginx users, look at the example here:
webtrees.net/faq/urls/


fisharebest, thanks for your answer!

I used the configuration file you sent. Now the server does not allow downloading files from the / data folders, but I still get a semicolon in the /data/config.ini.php path.
Is my site secure now?

Please Log in or Create an account to join the conversation.

Security problem 1 week 5 days ago #6

  • fisharebest
  • fisharebest's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 14403
You have said 3 things.

1) you used my nginx config
2) you cannot access files in /data
3) you can run PHP scripts in /data

My script should (a) block *all* access in /data and (b) only allow PHP to run one script (index.php).

> I used the configuration file you sent

I guess you also have other nginx config which is executing the PHP scripts.

It is impossible to know what you have done without seeing *all* your nginx config.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

Security problem 1 week 5 days ago #7

  • Michael12
  • Michael12's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4
Attached my config.

I disabled 2 settings because I think they are duplicated.
Attachments:

Please Log in or Create an account to join the conversation.

Security problem 1 week 5 days ago #8

  • fisharebest
  • fisharebest's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 14403
The rule:
location ~ \.php$ {

has a higher precedence than this rule
location /data {

I have written an article to explain the priorities:

fisharebest.stonystratford.org/116/under...ginx-location-rules/

> I disabled 2 settings because I think they are duplicated.

In my configuration, only one PHP script is allowed: index.php
This is a security feature.

Unless you have installed other PHP scripts, I recommend my configuration.

But if you need other PHP scripts, then you can replace the "low priority prefix" rules with "high priority prefix rules".
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

Do you need a web hosting solution for your webtrees site?
If you prefer a host that specialises in webtrees, the following page lists some suppliers able to provide one for you: 

Security problem 18 hours 47 minutes ago #9

  • Michael12
  • Michael12's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4
Thank you! Your answer was beneficial to me.

I changed the configuration according to your recommendation. Is it all right now?

Have I configured this line correctly?

rewrite ^ /var/www/domain.com/index.php last

Attachments:

Please Log in or Create an account to join the conversation.

  • Page:
  • 1
Powered by Kunena Forum