Menu
▾
▴
#2032 Missing .htaccess file for dictionaries folder
closed
None
User Interface
Critical
3.0.0
defect
2022-07-26
2022-02-14
No
Hello,
I noticed that Googling for iTop (https://www.google.com/search?q=itop+intitle:index&ei=OHoKYrH4HMaq5OUP6Ke2iAk&start=0&sa=N&ved=2ahUKEwix9MD7xf_1AhVGFbkGHeiTDZE4PBDy0wN6BAgBEDw&biw=1366&bih=625&dpr=1) it's possible to find a lot of "Index of" entries for the "env-production" folder. It doesn't seems to be an issue, but I believe there should be an '.htaccess' file to avoid browsing and indexing the* "env-*" folder publicly.
It looks to me, those administrators didn't folow the Security best practice article on the wiki..
Eduardo, please keep the "tickets" for qualified bugs and use the "discussions" instead.
Cheers,
Guillaume
Note that iTop 2.7+ comes with .htaccess (Apache) and web.config (IIS) files to enable these securities by default.
Hello guys,
Sorry, I'll post my future suggestions into the Discussions forum before posting them here.
@Hipska, I agree with you that the security guide should be followed, but most users do not read the docs (sadly), and I believe this kind of protection could be implemented by iTop developers by default.
@Guillaume Lajarige, the documentation states that .htaccess files are provided with the default iTop distribution, but it doesn't seems to be the case to the <env-*> directory, at least in iTop Community - there's ".htaccess" files only into the following directories (relative to <itoop-root>): * data * datamodels * extensions * lib * log * node_modules
Doesn't seems to exist .htaccess file for the <env-*> directory. I believe that iTop could create it by default when creating a new environment, as environments are created on a per-needed basis and newer environments may lack proper security if admin forgot to create a new .htaccess file into it. Maybe a global .htaccess could be created at iTop root folder so it would apply to all <env-*> directories using RegEx?</env-*></env-*></itoop-root></env-*>
The .htaccess file for env-xxx is generating during compilation as the folder is not present out of the box. Are you saying that you don't have it?
Cheers,
Guillaume
@glajarige, yes, exactly - there's no .htaccess file into my <env-production> folder at pubicly web server environment that is hosted into cPanel (Apache + PHP).</env-production>
The issue might be related to your shared host provider, not iTop. Can you reproduce the issue on a Linux VM?
Guillaume
I have just followed installation instructions for the latest iTop Community Edition in here, and after setup there was no .htaccess file within conf folder.
Hello,
/conf/.htaccessis part of iTop codebase and present in each iTop package made by Combodo.Is this this file you're talking about ?
Yes. I found that after finishing the setup, that file was not present in my folder. This folder is not present at the beginning (the zip file from sourceforge does not contain it), but it is created after the setup is done without any .htaccess on it.
Interestingly, the .htaccess file was indeed generated in env-production folder.
Last edit: José María García 2022-04-07
Hello,
Oh yeah you're right my apologies, the /conf folder isn't present in Combodo's iTop packages, and not re-created in the setup.
This folder should contain only .php files, so nothing could be accessible to end users.
The env-* folders are created dynamically, and since 2.7.0 we add appropriates .htaccess and web.config files (N°2498, see \MFCompiler::WriteStaticOnlyHtaccess and \MFCompiler::WriteStaticOnlyWebConfig)
Hello,
Just to let you know we modified our build system : next Combodo packages (2.7.7, 3.0.2, 3.1.0) will include /conf and the 3 protection files that are present in the repo.
Combodo internal ref for this modification is N°5114
Fix iTop 2.7.7 will be delivered next week