http_error_log readable by public

Home Forums BulletProof Security Free http_error_log readable by public

This topic contains 5 replies, has 2 voices, and was last updated by  AITpro Admin 10 months, 2 weeks ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #33799

    greenside
    Participant

    I noticed bps-backup/logs/http_error_log.txt and db_backup_log.txt on my server can be read by any public IP. Is this supposed to be publicly available or have I made a mistake during setup? Could you please advise the best way to sort this so it also shows 403 Forbidden? Thanks in advance

    #33800

    AITpro Admin
    Keymaster

    Either your have intentionally disabled htaccess files using this Setup Wizard Option > Enable|Disable htaccess Files > htaccess Files Disabled or this Setup Wizard Option was accidently set to htaccess Files Disabled or the .htaccess file in the /bps-backup/ folder has been deleted or your server does not allow .htaccess files to be used on your website.  Try changing the Setup Wizard Option > Enable|Disable htaccess Files > to htaccess Files Enabled.

    #33810

    greenside
    Participant

    Hi

    • My server does allow htaccess files to be used and other rules appear to all be working fine
    • htaccess files are not disabled in the Setup Wizard Option
    • If I browse to the directory level through a browser I see a BPS 403 page – e.g. https://example.com/wp-content/bps-backup/logs/ so you can tell most rules are working. It just seems to be the bps-backup contents that are public if reached directly, e.g. https://example.com/wp-content/bps-backup/logs/http_error_log.txt
    • As you asked I tried changing htaccess files setup wizard, since it was enabled I put it to disabled, saved, then back to enabled again and it made no difference (to access to read logs through a browser).
    • The above change did mean I lost recent rules I have added (which are directing all non-SSL to SSL, and blocking access to the user and comment routes of the WP-REST API) but that’s fine I can add them back in.
    • The .htaccess file in the /bps-backup/ folder has not been deleted but I am wondering if I have overwritten that htaccess or another by FTP? It seems that or a deeper htaccess in logs/ may be reason?
    • Also I don’t appear to have an htaccess file in the root of /wp-content/? Can you confirm should there be one there and if so is there a sample?

    Here is what I have in bps-backup/.htaccess:

    # BPS mod_access_compat
    <FilesMatch "(.*)$">
    Order Allow,Deny
    Deny from all
    </FilesMatch>
    
    

    and in bps-backup/logs/.htaccess

    AllowOverride All
    <Files ~ "\.txt$">
    Order allow,deny
    Deny from all
    </Files>
    

    Thanks for your help.

    #33811

    AITpro Admin
    Keymaster

    Directory level browsing is different than file level browsing.  So that is not a factor in this issue.  If you have a Dedicated or VPS server then you need to check your httpd.conf and vhosts conf files to make sure you are allowing htaccess files to be processed by your website/server (see general example below).  If you have Shared hosting then you will need to contact your web host and ask them why the .htaccess file in the /bps-backup/.htaccess file is not being processed by your server.  Your web host may not be allowing .htaccess files to be processed or is ignoring .htaccess files or your host is not backward compatible with mod_access_compat htaccess code.

    General example of httpd.conf and vhosts directive code to allow .htaccess file processing:
    The AllowOverride controls what directives may be placed in .htaccess files.  AllowOverride All directive setting means allow any/all htaccess files to be processed by your server/website.

    <Directory "C:/xampp/htdocs/demo1">
    #Options Indexes FollowSymLinks Includes ExecCGI
    Options All
    AllowOverride All
    Require all granted
    #Order allow,deny
    #Allow from all
    </Directory>
    #33814

    greenside
    Participant

    Did the two .htaccess files I pasted look ok?

    Should there be an .htaccess in /wp-content/?

    Yes it is a VPS but the lamp stack is managed. I will check how http.conf is setup. So you think it is possibly be related to what AllowOverride is set to in httpd.conf?

    I assumed that because if I enter

    ?<script>alert('test')</script>

    on any of my URLs and see a BPS 403 page that means htaccess is being processed but it seems some parts are, some are not.

    #33817

    AITpro Admin
    Keymaster

    This htaccess file:  bps-backup/logs/.htaccess is not a BPS htaccess file and the code is not valid.  The AllowOverride All directive cannot be used in .htaccess files and can only be used in an httpd.conf or vhosts conf file.  I recommend that you delete that htaccess file since the BPS htaccess file here:  bps-backup/.htaccess protects all folders under the /bps-backup/ folder.  .htaccess files are hierarchical/recursive > parent dir > child dir > subchildren dirs are all protected by the parent htaccess file. No, do no add an .htaccess file in your /wp-content/ directory since it would break all of your plugins and themes.  Yes, check your httpd.conf and vhosts files to make sure you are allowing htaccess files to be processed by using the AllowOverride All directive.  BPS Security Logging logs all 403 errors whether or not BPS is blocking something.  Example:  If something else is blocking something that causes a 403 error then BPS Security Logging will log that 403 error and display the BPS 403 template page.  Just for reference:  When testing whether or not BPS is blocking something you would use the BPS troubleshooting steps here: https://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting.  Additionally if you turn off BPS Security Logging and something else on your server (Mod Security, etc) is blocking something  then you will see a generic server 403 error page instead of the BPS 403 template page.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.