Protecting wwwroot contents

anthonyja · 11-02-2018 12:50 AM

Hi,

May I know the process of protecting the files in wwwroot folder for developer portal? I have tried using the .htaccess to restrict access to the files such as install.php and web.config but it is not working.

Issue found in our portal is Web Server Misconfiguration (Unprotected files):

"The severity of the threats posed by the web-accessible backup files depends on the sensitivity of the information stored in original document. Based on that information, the attacker can gain sensitive information about the site architecture, database and network access credential details, encryption keys, and so forth from these files. The attacker can use information obtained to craft precise targeted attacks, which may not otherwise be feasible, against the application. An attacker can use the information obtained from the backup file of a sensitive document to craft a precise targeted attack against the web application. Such attacks can include, but are not limited to, SQL injection, remote file system access to overwrite or inject malware, and database manipulation."

Regards,

Anthony

@Anil Sagar @ Google

dchiesa1

Not sure what scanner you are using that gives you this warning, but from the error message and a little googling, I think it is HP WebInspect.

I think that tool is misconfigured or ignorant of Drupal configuration. This warning is not applicable.

All requests in Drupal flow through index.php. If you have backup files stored somewhere under your wwwroot, that's a housekeeping issue, but it's not a security problem.

You can (probably should) remove backup files if there are any. But I cannot say for sure since I don't know the files.

Also make sure you have HP WebInspect configured properly. You may want to try a different forum for help with THAT tool.

Good luck.