Place Your Ad Here

Bug nginx-related manual security fault

There is a bug in this version
K

Katsuro

Guest
In XenForo 2.x manual, where nginx webserver configuration described, there's a potential security fault related to php scripts:

Friendly URLs | Manual | XenForo

End-user documentation for XenForo
xenforo.com
xenforo.com
With this setup, every visitor still can execute any php scripts behind protected folders, like src, internal_data, etc
All protected routes need to have ^~ at the beginning of path, so the final version should look like this:
NGINX:

Code: 
location ^~ /xf/install/data/ {
    internal;
}

location ^~...

Read more

Continue reading...
 
You must log in or register to reply here.

Similar threads

R
XenForo NGINX Windows Fresh Install
Replies
0
Views
151
XenForo Development & Modifications
Robert4049
R
C
Ques/Help Nginx Secure Install Directory
Replies
0
Views
256
XenForo General Discussions
cloudpro
C
A
XenForo RSS not working with nginx
Replies
0
Views
215
XenForo Development & Modifications
Alex Vojacek
A
J
XenForo Can't get gmp and curl installed on new server running nginx
Replies
0
Views
364
XenForo Development & Modifications
John917
J
N
XenForo CORS error on Nginx
Replies
0
Views
696
XenForo Development & Modifications
NicklasM
N
Top Bottom
Back