HTTP access to template.htm

[cmb]

Hello Community,

Ludwig mentioned this issue in a German thread: usually all files in the template folder can be accessed via HTTP. The particular problem are the template.htm files which actually shouldn't be accessible -- even though I really appreciate to be able to access them for support requests, it is an Information Exposure vulnerability.

It seems to me the cleanest solution would be to rename template.htm to template.php[1], but besides that would be an obvious BC break, it could lead to worse vulnerabilites[2]. Therefore it seems more appropriate to handle this like the protection of content.htm, i.e. by delivering a .htaccess directly in templates/ which denies access to template.htm for everybody, and to document the issue for other webservers.

In the long run we may consider the renaming to .php, which has been done in CMSimple 4.5 for content.htm. As content.php can be modified from the backend, we would have to take care for OPcache.

BTW: the same issue exists for several plugins, amongst them the standard filebrowser where the template files are .html files.

[1] Actually, template.htm is a PHP file (as well as CMSimple_XH's content.htm is one).
[2] Actually, this is rather unlikely, as template.php would error when calling head() or even earlier, there might be rare cases which would have to be prevented.

[manu]

secure by .htaccess (and add a notice in the wiki) might be appropriate.

[svasti]

secure by .htaccess (and add a notice in the wiki) might be appropriate.

+1

[cmb]

I thought it would be reasonable to add a system check for the protection of template.htm. While testing this, I found a bug.

The check is implemented with r1474. If anybody has objections, I'll revert the commit.