-
I installed Simple Invoices on a Linux Debian server running Apache 2.2. As documented in the installation procedure, I extracted the installation package to the document root and made the tmp directory writable to the Apache process.
However, I just realized today that without proper configuration, Apache can expose on the internet confidential files located in that tmp sub directory, such as the databases backups containing all your invoicing information and your client list. Although I did not test it, I also think the config/config.ini file was not protected.
I'm not an Apache expert but to prevent this, I used the following configuration :
DocumentRoot /var/www/invoices.mycompany.xyz
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/invoices.mycompany.xyz>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>
<DirectoryMatch "^/var/www/invoices.mycompany.xyz/.+/">
Order Deny,Allow
Deny from all
</DirectoryMatch>
<DirectoryMatch "^/var/www/invoices.mycompany.xyz/(images|templates|include|library)/">
Order Deny,Allow
Allow from all
</DirectoryMatch>
This only allow access to the root directory and the images and templates sub directories.
I hope this can help. -
Hi,
Thank you. This is indeed a problem. Can you please report this here: http://code.google.com/p/simpleinvoices/issues/list
We will then discuss it and prepare a solution.
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
- All Discussions 2217
- English 2201
- EspaƱol 7
- Portuguese 4
- Deutsch 5
Tagged
- security 2
- confidentiality 1
- apache 1
- configuration 1
- linux 1