Bug Report #1690
Configuration readable from web if internal cache is enabled
| Status: | Closed | Start date: | 05/22/2009 | |
|---|---|---|---|---|
| Priority: | Immediate | Due date: | ||
| Assignee: |  Sam de Freyssinet |
% Done: | 100% |
|
| Category: | Core | |||
| Target version: | 2.3.3 | Estimated time: | 2.00 hours | |
| Resolution: | fixed | Points: |
Description
Problem:
if internal cache is enabled you can access this cache file via http://host/application/cache/kohana_configuration
there you have the database config, auth config, ...
- append .php (EXT) to every cache file.
- include SYSTEM checks
Associated revisions
fixes #1690, uses encryption for the cache
History
Updated by Mathew Davies over 2 years ago
You should keep Kohana outside the webroot, so it's more of a server configuration error rather than a Kohana error. If that's not possible, add the cache folder to your .htaccess file.
[edit] : One thing to add, if Kohana is used in its default configuration with no .htaccess and it's placed in the webroot, it's vulnerable.
Updated by Sam de Freyssinet over 2 years ago
- Category set to Core
- Status changed from New to Assigned
- Assignee set to Sam de Freyssinet
- Estimated time set to 2.00
Updated by Parnell Springmeyer over 2 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Applied in changeset r4372.
Updated by Parnell Springmeyer over 2 years ago
- Resolution set to fixed
I implemented an encryption scheme for the cache - speed loss is neglible, cache is still effective with encryption - it is also by default turned off.