Should I disallow access to certain roundcube directories in nginx? I'm especially concerned about arbitrary PHP execution in the user upload directory
any directory containing user uploads has execution disabled by definition
Apache:
<IfModule mod_php5.c> php_flag engine off </IfModule>
any directory only containing libraries and no directly accessed files has access denied by definition
that is completly independent of roundcube or whatever webserver that are best practices in any case and not a question
Apache: <IfModule !mod_version.c> Order deny,allow Deny from all
</IfModule> <IfModule mod_version.c> <IfVersion < 2.4> Order deny,allow Deny from all </IfVersion> <IfVersion >= 2.4> Require all denied </IfVersion> </IfModule>
Are the default permissions you reference set via .htaccess files?
it does not matter if you put them in .htaccess or <Directory>-directives the final goal is the same and depends on your environment
hence in my own applications they are deployed as part of packages in .htaccess while with LocationMatch / Location for folders like "upload" or "tmp" they are in global policies
Ah, I misread that the first time around. It sounds like I need to be sure I disallow access and execution in certain directories. Which directories are those for roundcube?
- Grant
On 2014-02-13 20:06, Grant wrote:
Ah, I misread that the first time around. It sounds like I need to be sure I disallow access and execution in certain directories. Which directories are those for roundcube?
check all dirs in roundcube webroot where it is a .htaccess file, this files tells how to protect, atleast for apache
logs and temp if i remember all of it maybe also bin and webroot dir itself
feks wordpress have upload dirs unprocted in webroot :(
also remember no dirs or files must be owned by the user that serving webpage
-
Benny Pedersen -
Grant