From 7ba9b06881ddd70bd3b10e2785b91908e851cdaa Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 13 Nov 2016 11:50:23 +0100
Subject: [ticket/security-181] Port .htaccess changes to other webserver types

SECURITY-181
---
 phpBB/docs/lighttpd.sample.conf | 2 +-
 phpBB/docs/nginx.sample.conf    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'phpBB/docs')

diff --git a/phpBB/docs/lighttpd.sample.conf b/phpBB/docs/lighttpd.sample.conf
index 5b04122267..f5b509e002 100644
--- a/phpBB/docs/lighttpd.sample.conf
+++ b/phpBB/docs/lighttpd.sample.conf
@@ -37,7 +37,7 @@ $HTTP["host"] == "www.myforums.com" {
 	accesslog.filename		= "/var/log/lighttpd/access-www.myforums.com.log"
 	
 	# Deny access to internal phpbb files.	
-	$HTTP["url"] =~ "^/(config\.php|common\.php|includes|cache|files|store|images/avatars/upload)" {
+	$HTTP["url"] =~ "^/(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor)" {
 		url.access-deny = ( "" )
 	}
 
diff --git a/phpBB/docs/nginx.sample.conf b/phpBB/docs/nginx.sample.conf
index 2ead3552fd..bf33f4e73d 100644
--- a/phpBB/docs/nginx.sample.conf
+++ b/phpBB/docs/nginx.sample.conf
@@ -72,7 +72,7 @@ http {
         }
 
         # Deny access to internal phpbb files.
-        location ~ /(config\.php|common\.php|includes|cache|files|store|images/avatars/upload) {
+        location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor) {
             deny all;
             # deny was ignored before 0.8.40 for connections over IPv6.
             # Use internal directive to prohibit access on older versions.
-- 
cgit v1.2.1


From 44dd1ef9842c83f7ba4a37bf4a17489d5fe73991 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 13 Nov 2016 12:26:35 +0100
Subject: [ticket/security-181] Update INSTALL.html to ask for more secure
 apache config

SECURITY-181
---
 phpBB/docs/INSTALL.html              | 18 +++++++++++++++---
 phpBB/docs/assets/css/stylesheet.css | 11 +++++++++++
 2 files changed, 26 insertions(+), 3 deletions(-)

(limited to 'phpBB/docs')

diff --git a/phpBB/docs/INSTALL.html b/phpBB/docs/INSTALL.html
index 9f8bbe74b8..53c18da733 100644
--- a/phpBB/docs/INSTALL.html
+++ b/phpBB/docs/INSTALL.html
@@ -148,7 +148,7 @@
 			<li>Oracle</li>
 		</ul>
 		</li>
-		<li><strong>PHP 5.3.3+</strong> and <strong>PHP < 7.0</strong> with support for the database you intend to use.</li>
+		<li><strong>PHP 5.3.3+</strong> and <strong>PHP &lt; 7.0</strong> with support for the database you intend to use.</li>
 		<li>The following PHP modules are required:
 		<ul>
 			<li>json</li>
@@ -455,9 +455,21 @@
 
 <a name="webserver_configuration"></a><h3>6.ii. Webserver configuration</h3>
 
-	<p>Depending on your web server, you may have to configure your server to deny web access to the <code>cache/</code>, <code>files/</code>, <code>store/</code> and other directories. This is to prevent users from accessing sensitive files.</p>
+	<p>Depending on your web server, you may have to configure your server to deny web access to the <code>cache/</code>, <code>files/</code>, <code>includes</code>, <code>phpbb</code>, <code>store/</code>, and <code>vendor</code> directories. This is to prevent users from accessing sensitive files.</p>
 
-	<p>For <strong>Apache</strong> there are <code>.htaccess</code> files already in place to do this for you. Similarly, for <strong>Windows</strong> based servers using <strong>IIS</strong> there are <code>web.config</code> files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in <code>docs/</code> directory.</p>
+	<p>
+		For <strong>Apache</strong> there are <code>.htaccess</code> files already in place to do this for the most sensitive files and folders. We do however recommend to completely deny all access to the aforementioned folders and their respective subfolders in your Apache configuration.<br />
+		On Apache 2.4, denying access to the <code>phpbb</code> folder in a phpBB instance located at <code>/var/www/html/</code> would work like this:
+		<pre>
+&lt;Directory /var/www/html/phpbb/*&gt;
+	Require all denied
+&lt;/Directory&gt;
+&lt;Directory /var/www/html/phpbb>
+	Require all denied
+&lt;/Directory&gt;</pre>
+		<br />
+	<p>The same settings can be applied to the other mentioned directories by replacing <code>phpbb</code> by the respective directory name. Please pay attention to the difference in syntax between Apache version <a href="https://httpd.apache.org/docs/2.2/howto/access.html">2.2</a> and <a href="https://httpd.apache.org/docs/2.4/howto/access.html">2.4</a>.</p>
+	<p>For <strong>Windows</strong> based servers using <strong>IIS</strong> there are <code>web.config</code> files already in place to do this for you. For other webservers, you will have to adjust the configuration yourself. Sample files for <strong>nginx</strong> and <strong>lighttpd</strong> to help you get started may be found in <code>docs/</code> directory.</p>
 
 		</div>
 
diff --git a/phpBB/docs/assets/css/stylesheet.css b/phpBB/docs/assets/css/stylesheet.css
index 192a6f9f79..c090ab7e07 100644
--- a/phpBB/docs/assets/css/stylesheet.css
+++ b/phpBB/docs/assets/css/stylesheet.css
@@ -115,6 +115,17 @@ code {
 	padding: 0 4px;
 }
 
+pre {
+	color: #006600;
+	font-weight: normal;
+	font-family: 'Courier New', monospace;
+	border-color: #D1D7DC;
+	border-width: 1px;
+	border-style: solid;
+	background-color: #FAFAFA;
+	padding: 0 4px
+}
+
 #wrap {
 	padding: 0 20px;
 	min-width: 650px;
-- 
cgit v1.2.1