nginx-related manual security fault

Katsuro

Member
In XenForo 2.x manual, where nginx webserver configuration described, there's a potential security fault related to php scripts:
With this setup, every visitor still can execute any php scripts behind protected folders, like src, internal_data, etc
All protected routes need to have ^~ at the beginning of path, so the final version should look like this:
NGINX:
location ^~ /xf/install/data/ {
    internal;
}

location ^~ /xf/install/templates/ {
    internal;
}

location ^~ /xf/internal_data/ {
    internal;
}

location ^~ /xf/library/ { #legacy
    internal;
}

location ^~ /xf/src/ {
    internal;
}

location /xf/ {
    try_files $uri $uri/ /xf/index.php?$uri&$args;
    index index.php index.html;
}

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass    127.0.0.1:9000;
    fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include         fastcgi_params;
}
This should be fixed asap avoid any problems in the future. Note that it's fixed in official XenForo community: here
Not sure where to publish this issue, so there it is

Reference:
 
Thanks for reporting this.

We have made these changes live in the manual.

For the avoidance of doubt, a bunch of XenForo Cloud configuration was actually derived from our production environment here so, like this site, XenForo Cloud was also not susceptible to this.
 
Back
Top Bottom