Prevent browsing of FreePBX admin folder sub-directories


#1

I just noticed that anyone can browse my admin folder sub-directories without being logged in if he knows the name of the sub folder. Not sure if this is a security risk but I would suggest adding an empty index.html file to each subfolder to prevent browsing.


Why is Directory Browsing on by default for: admin/modules, admin/assets and admin/images?
#2

Hmmm. you are right, open a ticket. You don’t need the blank file, it’s an Apache setting.


#3

I also changed the httpd.conf file as follows to prevent directory listings in Apache.

<Directory “/var/www/html”>

find the line Options Indexes FollowSymLinks
and change to Options -Indexes FollowSymLinks


#4

Oops. That did not come out right.
Open httpd.conf
Find the section where you set your DocumentRoot
change the line: Options Indexes FollowSymLinks
to: Options -Indexes FollowSymLinks
save and service httpd restart

That will result in a Forbidden error when trying to browse directories.
Forbidden
You don’t have permission to access /xxxx/xxxxx/ on this server.


#5

Please open a ticket, this is important to get in.


#6

Ticket #6495


#7

What kind of install is this and what version of FreePBX? By default the /admin directories and subdirectories have been protected with .htaccess for a long time.

If you can still browse the /admin directories it’s probably because you have “AllowOverride None” globally in your httpd.conf file. Change it to “AllowOverride All”.


#8

It’s version 3.211.63-7 of the distro but I found the same behavior in previous versions of the distro going back to 1.87.29.55-2 (that’s my oldest system). This is a stock install. I did not make any changes to the httpd.conf but I can confirm that the current setting (distro default)
is: “AllowOverride None”

Which setting is preferred?
Options -Indexes FollowSymLinks
AllowOverride All
or both?


#9

There are all kinds of different ways to do it but the simplest is the set AllowOverride All globally. It should be around line 339 in httpd.conf on CentOS 6. Otherwise linux will ignore .htaccess files. There are usually other AllowOverride settings in that file for different subdirectories. Not sure if FreePBX distro is doing anything what that or not.

Next you should check that you have a .htaccess file in your /admin directory.

Generic FreePBX install places the following .htaccess file in there.

Disallow all file access first # Deny from all

Now allow /admin, /admin/config.php and /admin/index.php as well as the various assets

<FilesMatch “(^$|index.php|config.php|.(gif|GIF|jpg|jpeg|png|css|js|swf|txt|ico)$)”>
Allow from all


(system) closed #10