automad: With the default Apache configuration Automad is exposing files it shouldn't
Here is Automad’s demo site. And here, for example, is the automad/package-lock.json file for that site.
Those are just text files, but .php files are also exposed. For example, if you constructed a URL to, say, automad/tests/Core/FileUtilsTest.php, the tests would (try to) run. (I didn’t go looking for particularly problematic .php files.)
On Apache these issues can be resolved by tightening up the .htaccess file. For inspiration, here is the .htaccess file for Gravity, and here is the .htaccess file for Kirby — two flat-file CMSes. (Here is the .htaccess for ProcessWire. ProcessWire is a traditional CMS rather than flat-file, but the .htaccess file is carefully thought out and well commented.)
Tightening up the .htaccess file would be something of a quick fix. Even better — this is a “someday” thing! — would be to change the directory structure so that static files are clearly separated from non-static files.
My Apache skills are rusty, but if you like I can take a first crack at the required changes.
P.S. Automad is an incredibly impressive piece of work. So many good ideas, so much attention to detail.
About this issue
- Original URL
- State: open
- Created 2 years ago
- Comments: 20 (3 by maintainers)
That’s completely crazy to consider that exposing files is not so important, even json files or unit tests.
Just to chime in with my support for us NOT exaggerating, many well known php apps are much more vulnerable (looking at you wordpress) when installed as they MOST OFTEN are. Some mitigations are trivial. There is nothing to panic about with Automad. I make additional effort to set file access rights (set root ownership, read only, where possible) but that’s ordinary operating procedures. Thanks for your efforts @marcantondahmen