我的 Drupal 站点显示 /sites/default 以及 /sites 下面的所有其他文件夹的内容

发布于 2024-10-31 16:25:36 字数 315 浏览 3 评论 0原文

我有一个问题,可能很简单 - 但我现在无法解决它。我在 Ubuntu 10.04LTS 虚拟服务器上托管了一些站点,在所有站点(Drupal 6)上,我可以直接转到(包括)/sites(包括模块目录)下面的任何文件夹。

[编辑]我刚刚意识到我可以转到任何文件夹 - 即 /includes 以及...[/编辑]

我不记得这是正常的,而且它确实似乎是一个我可以访问 /sites/default 文件夹的安全风险 - 尽管我可能只是偏执。

任何人都可以确认这是否正常,如果不指出我的问题的根源可能是什么?

干杯

史蒂夫

I have a problem that could be something simple - but I can't get my head around it at the moment. I have a few sites hosted on my Ubuntu 10.04LTS virtual server, and on all of them (Drupal 6) I can go directly to any folder below (and including) /sites (including the modules directory).

[edit] I've just realised I can go to ANY folder - ie /includes as well...[/edit]

I don't recall this being normal, and it certainly seems to be a security risk that I can get to the /sites/default folder - although I may be just being paranoid.

Can anyone confirm if this is normal, and if not point out what might be the root of my problem?

Cheers

Steve

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

可是我不能没有你 2024-11-07 16:25:36

你不是偏执,你是对的,如果你的 /sites/default 目录被暴露,那么你的 settings.php 文件也被暴露,其中包含你的数据库连接信息(主机、用户名、密码)。
由于您必须为 Drupal 创建的 mysql 用户具有 DROP TABLE 的权限,因此暴露您的数据库不仅意味着渗透可以显示数据,而且还允许渗透者破坏您的数据库。

You are not being paranoid, you are right, if your /sites/default directory is exposed, so is your settings.php file, which contains your database connection information (host, username, password).
Since the mysql user that you have to create for Drupal has permissions for DROP TABLE, having your database exposed not only means an infiltration could show data, but also allows the infiltrated to destroy your database.

内心旳酸楚 2024-11-07 16:25:36

我发现了问题 - 这是双重的:

首先,由于某种原因,我的 .htaccess 文件(由 Drupal 生成)在某些站点上丢失了(我认为这可能是相关站点的根文件夹的权限问题)。

其次,我在每个站点的配置文件中都有一个狡猾的规则,无论如何它都会覆盖 .htaccess 文件 - 这将教我从网络博客复制粘贴...找到了 mod_rewrite 部分的正确布局Drupal 站点本身。

这很奇怪,需要一些发现,但现在已经解决了

I found the problem - it was twofold:

First, for some reason my .htaccess files (generated by Drupal) were missing on some sites (I think this might have been a permissions problem with the root folder for the sites in question).

Second, I had a dodgy rule in the config files for each site that was over-riding the .htaccess file anyway - that will teach me to copy-paste from a web blog... found the correct layout for the mod_rewrite section on the Drupal site itself.

It was an odd one, and took a little finding, but its sorted now

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文