/whf/ safe to live it as it is?

  • I just noticed when I got to my website, domain.com/whc/ many files are available to everybody


    files such as


    config.inc.php
    global.php
    options.inc.php


    acp and more


    From system -> packages -> Manage application I can find it WoltLab Community Framework and if I try to edit it, it allows me to change/redo? the path.


    Do I need to do anything to hide from people ? htaccess ? rename the path (is that safe?) or I'm getting paranoid over nothing ?


    thank you all.


    EDIT I meant WCF

    Edited 3 times, last by spaced: EDIT is WCF ().

  • Denying the access to the folder of the WCF is a bad idea which would coude a lot of problems. ;)
    Sensible content should be already protected by htaccess. Important is that you can't see the source code of PHP-files (normally you can't).
    If you edit the path in the ACP, you have to edit the path in the file system, too - otherwise the files will be cause "404 - not found".


    In general everything which should not be accessible by others should be protected by a htaccess-file which comes with a plugin, so there is normalls no need to do anything. :)
    (Sorry for my english. I should go and visit my bed...)

  • Your post confused me a bit :)


    You are saying denying access to WCF is bad idea.


    but then yo are saying files should be protected by htaccess.



    I have added an htaccess with deny from everybody to that folder, I haven't spotted any problems (yet) you have experience with this ?


    What is other people solution for this ?

  • I have added an htaccess with deny from everybody to that folder, I haven't spotted any problems (yet) you have experience with this ?


    You don't need to add a .htaccess, the important directories are already protected by .htaccess. Denying access to the entire WCF directory is bad because a lot of resources are loaded from there, for example JavaScript, Styles and the icon font.

    Alexander Ebert
    Senior Developer WoltLab® GmbH


  • I guess this is the important part.
    If the webserver/webspace is not limited by this on default (most webspaces are! (so if no index.php index.html is available nothing will be shown)
    then one would need to add exactly what Andread stated above. is it just a "flaw" from the webspace you are using @spaced
    The directory listing should not be permitted on default.



  • You don't need to add a .htaccess, the important directories are already protected by .htaccess. Denying access to the entire WCF directory is bad because a lot of resources are loaded from there, for example JavaScript, Styles and the icon font.


    So I shouldn't use the above suggestion and leave wch folder as it is, available to public ?


    Atm I did Andrea's suggestion with htacecss to root and I'm getting a 403 in the location of the /wcf/ so I don't know if that's ok.




    edit we posted the same time.

    Quote from Throwholics

    I guess this is the important part.
    If the webserver/webspace is not limited by this on default (most webspaces are! (so if no index.php index.html is available nothing will be shown)
    then one would need to add exactly what Andread stated above. is it just a "flaw" from the webspace you are using @spaced
    The directory listing should not be permitted on default.


    so that's the solution then. thank you for clarification.

  • Add this to htaccess. That will stop viewing of indexes/directory lists in the browser and bot access/google indexing of these same index/directory lists.


    The files are still accessible when browsing your website but indexes/directory list access will just 404.


    Options All -Indexes


    ----------


    Edit


    Sorry, missed the post above saying basically the same thing. My bad. :)