Katsuro
Member
In XenForo 2.x manual, where nginx webserver configuration described, there's a potential security fault related to php scripts:
With this setup, every visitor still can execute any php scripts behind protected folders, like src, internal_data, etc
All protected routes need to have
This should be fixed asap avoid any problems in the future. Note that it's fixed in official XenForo community: here
Not sure where to publish this issue, so there it is
Reference:
All protected routes need to have
^~
at the beginning of path, so the final version should look like this:
NGINX:
location ^~ /xf/install/data/ {
internal;
}
location ^~ /xf/install/templates/ {
internal;
}
location ^~ /xf/internal_data/ {
internal;
}
location ^~ /xf/library/ { #legacy
internal;
}
location ^~ /xf/src/ {
internal;
}
location /xf/ {
try_files $uri $uri/ /xf/index.php?$uri&$args;
index index.php index.html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
Not sure where to publish this issue, so there it is
Reference:
Configuring nginx to return a 404 when a URL matches a pattern
I want nginx to return a 404 code when it receives a request which matches a pattern, e.g., /test/*. How can I configure nginx to do that?
stackoverflow.com