Place Your Ad Here

Bug nginx-related manual security fault

There is a bug in this version
K

Katsuro

Guest
In XenForo 2.x manual, where nginx webserver configuration described, there's a potential security fault related to php scripts:

Friendly URLs | Manual | XenForo

End-user documentation for XenForo
xenforo.com
xenforo.com
With this setup, every visitor still can execute any php scripts behind protected folders, like src, internal_data, etc
All protected routes need to have ^~ at the beginning of path, so the final version should look like this:
NGINX:

Code: 
location ^~ /xf/install/data/ {
    internal;
}

location ^~...

Read more

Continue reading...
 
You must log in or register to reply here.

Similar threads

D
Ques/Help nginx help - 20$
Replies
0
Views
54
XenForo General Discussions
dutyfree
D
R
XenForo NGINX Windows Fresh Install
Replies
0
Views
206
XenForo Development & Modifications
Robert4049
R
C
Ques/Help Nginx Secure Install Directory
Replies
0
Views
312
XenForo General Discussions
cloudpro
C
A
XenForo RSS not working with nginx
Replies
0
Views
279
XenForo Development & Modifications
Alex Vojacek
A
J
XenForo Can't get gmp and curl installed on new server running nginx
Replies
0
Views
444
XenForo Development & Modifications
John917
J
Top Bottom
Back