Opened 5 years ago

Closed 4 years ago

#445 closed Bug (fixed)

Prevent directory listing

Reported by: toutoune25 Owned by:
Priority: low Milestone: Piwik 0.5.5
Component: Core Keywords:
Cc: Sensitive: no



Piwik doesn't prevent listing of some key directories such as core/ or config/. This could help identifying piwik's running version.

Putting empty index.html files in those directories solves the problem.


Change History (6)

comment:1 Changed 5 years ago by matthijs

Isn't this something that should be disabled in the webserver config instead? Any production server should have dirlisting disabled by default, though most shared hosters will probably not do this...

comment:2 Changed 5 years ago by matt (mattab)

  • Milestone set to RobotRock
  • Resolution set to wontfix
  • Status changed from new to closed

indeed. you can always add a .htaccess with "Deny from all"

comment:3 Changed 5 years ago by matthijs

If you really want to fix this problem, you should also make sure that files and dirs like README, tmp, tests, misc, etc. are removed as well. Even better, any php files that are not meant to be called directly (ie, anything but piwik.php and index.php I guess) should be outside of the document root as well.

Piwik might could make this setup easier by supplying a "htdocs" dir, which contains all files that should be in the document root. This will slightly complicate the default "put everything in the docroot" install approach (in particular, "htdocs" will show up in the url), but most of this should be solved by symlinking just index.php and perhaps piwik.php outside of the document root. The more advanced user can then just symlink only the htdocs directory into the documentroot (which contains index.php, piwik.php/js, robots.txt and the themes' css and js).

Anyway, perhaps this should be a seperate ticket, if anyone cares...

comment:4 Changed 4 years ago by vipsoft (robocoder)

  • Milestone changed from RobotRock to 1 - Piwik 0.5.5
  • Sensitive unset

Fixed in [1743].

comment:5 Changed 4 years ago by vipsoft (robocoder)

  • Resolution wontfix deleted
  • Status changed from closed to reopened

comment:6 Changed 4 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.