Multiple Security Issues with Default Install

Issue #130 resolved
exploitagency
created an issue

First thing for restricting .htaccess

/etc/nginx/sites-conf.d/default-ssl/99-include-tmpl-misc.conf should be loaded first

rename it to /etc/nginx/sites-conf.d/default-ssl/0-include-tmpl-misc.conf

Next these lines are out of order restricting access to log files, config files, !!users private gpg keys if plugin enabled!! etc...

/etc/nginx/templates/roundcube-subdomain.tmpl should be

#
# Run Roundcube as a sub-domain virtual host.
#

location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)/* { deny all; }
location ~ ^/mail/plugins/enigma/home/* { deny all; }

location / {
    root    /opt/www/roundcubemail;
    index   index.php index.html;
    include /etc/nginx/templates/hsts.tmpl;
}

location ~ \.php$ {
    root            /opt/www/roundcubemail;

    include /etc/nginx/templates/fastcgi_php.tmpl;

    fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail$fastcgi_script_name;
}

/etc/nginx/templates/roundcube.tmpl should be

# Roundcube webmail

location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)/* { deny all; }
location ~ ^/mail/plugins/enigma/home/* { deny all; }

location ~ ^/mail(.*)\.php$ {
    include /etc/nginx/templates/hsts.tmpl;
    include /etc/nginx/templates/fastcgi_php.tmpl;
    fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail$1.php;
}

location ~ ^/mail(.*) {
    alias /opt/www/roundcubemail$1;
    index index.php;
}

I tried to clone and do a pr but bitbucket is not my thing i am a GitHub/Linux user. Wasted too much time fooling with it so am just opening an issue

also note the "/*" above in the deny as we want to deny an attacker from picking a known file and entering the url manually.

Comments (69)

  1. exploitagency reporter

    I downloaded from the latest stable 0.9.7 from the website and it appears the files have changed in 0.9.8

    I can modify the stable for now and you can view the changes unless you just want to look above those are all the changes. Also the same applies to the beta.

    PS: In the beta you misspelled composer as composor.

    location ~ ^/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|composor.json|jsdeps.json)$ { deny all; }
    

    Should be

    location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)(.*) { deny all; }
    location ~ ^/mail/plugins/enigma/home(.*) { deny all; }
    location ~ (composer.json|jsdeps.json)(.*) { deny all; }
    

    unsure of "^/mail" with new distro though haven't looked too hard, you'd have to adjust these and test if not working OOTB

  2. exploitagency reporter

    Be sure to backport to the latest stable name it other than 0.9.7, maybe 0.9.7.1, as i submitted 0.9.7 in my cve as well as 0.9.8BETA1 and before commit X (whatever it was)

    Also is the webmail address still mail.server.com/mail in 0.9.8?

    But before you draft a new release let me check another configuration for things not using /mail when i get home, I dont think it should be ^/mail after looking at it. Need to check all of the config options though. May even be a good idea to move it all to misc, just need to do some testing. I wont be home for several hours

    I think specifying /mail we may miss some things.

  3. exploitagency reporter

    This is what I want to test when home

    location ~ /(bin|SQL|config|temp|logs|installer|plugins/enigma/home)($|(/(.*))) { deny all; }
    
    location ~ /(README|INSTALL|LICENSE|CHANGELOG|UPGRADING|composer.json|jsdeps.json
    )($|\.(.*)|-(.*)) { deny all; }
    

    ^/mail/ only blocks these files in the root folder

    The first one blocks all folders and whats inside the folder. But in the case of bin it will block "/bin" exactly or "/bin/"

    The second block blocks "/filelisted" and the same file "/filelisted".X or "/filelisted"-X because people rename things with .old -old etc.

    Once home if this config tests ok i suggest using it vs my original post to prevent blocking files that may be ok to be public and to block all files in subdirectories as well that may be sensetive. Although you know more which ones shouldnt be accessible from the web than i do so you may add some.

  4. Zhang Huangbin repo owner

    The final settings:

    • /etc/nginx/templates/roundcube.tmpl:
    # Block access to sensitive files.
    location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer|composer|jsdeps) { deny all; }
    location ~ ^/mail/plugins/enigma/home { deny all; }
    
    • /etc/nginx/templates/roundcube-subdomain.tmpl
    # Block access to sensitive files.
    location ~ ^/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer|composer|jsdeps) { deny all; }
    location ~ ^/plugins/enigma/home { deny all; }
    
  5. exploitagency reporter

    Look at the end of my OR statement and read last post again, it searchs for exact match or backups of files and also subdirectory contents. I think its right and maybe needs to be broke out into the misc to just declare it all once, But I need to test when home

    Also using begins with ^ will not search for those files within subdirectories of /mail/ like /mail/plugins/identicon/composer.json if that file is there. Ive been using an online regex tester for nginx it might be wrong but I actually trust it to an extent.

  6. Zhang Huangbin repo owner

    File like /mail/plugins/enigma/README is also published in Roundcube github repo, it's not a sensitive file i think.

    I understand you want to hide this file so that crackers cannot know which version of Enigma/Roundcube it is, but this brings another question:

    • do we need to block access to ALL README files in Roundcube directories?
    • Or just the one under enigma plugin directory?
    • Or, are we talking about blocking access to all README files served by Nginx?
  7. Zhang Huangbin repo owner

    Do you mean this one?

    The second block blocks "/filelisted" and the same file "/filelisted".X or "/filelisted"-X because people rename things with .old -old etc.

    I don't get it. With location ~ ^... (the ^), it matches /filelisted*. so it should solve your concern.

    Also, you config cannot cover all possible characters used for a backup file name, file.bak and file-bak are normal, but how about file=bak, file<whatever>bak?

    it will be better and easier for me to understand you if you can list the purpose directly, not Nginx config snippet.

  8. exploitagency reporter

    You dont want to hide legitamate files and folders though and its an effort to avoid that

    I feel best about this code snippet

    location ~ /(bin|SQL|config|temp|logs|installer|plugins/enigma/home)($|(/(.*))) { deny all; }
    
    location ~ /(README|INSTALL|LICENSE|CHANGELOG|UPGRADING|composer.json|jsdeps.json
    )($|\.(.*)|-(.*)) { deny all; }
    
  9. exploitagency reporter

    I was trying for a catchall solution. My biggest concerns are the folders and contents of folders and enigma home. Im not sure about composer you added to blacklist but it should not be ^/ to cover all instances that was my example

    Your solution solves the main problem but i felt my solution was safer. I will let you know more when i can test things.

  10. Zhang Huangbin repo owner

    My biggest concerns are the folders and contents of folders and enigma home.

    Now i understand what you mean.

    location ~ /(bin|SQL|config|temp|logs|installer|plugins/enigma/home)($|(/(.*))) { deny all; }
    location ~ /(README|INSTALL|LICENSE|CHANGELOG|UPGRADING|composer.json|jsdeps.json)($|\.(.*)|-(.*)) { deny all; }```
    
    • Your Nginx rules separate directories and files, this is better than default iRedMail settings.
    • Your first rule covers files under certain directories, this is even better.

    I will use your rule instead, but we can remove few characters to make it simpler:

    # Cover all directories (except 'skins') and files under these directories
    location ~ /(bin|config|installer|logs|plugins|program|public_html|SQL|temp|vendor)($|/.*) { deny all; }
    
    # Cover certain files under Roundcube top-directory and files start with same name.
    location ~ ^/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README.md|UPGRADING)($|.*) { deny all; }
    

    Tested and works for me.

    Any opinion?

  11. exploitagency reporter

    Take the ^ off the second rule i saw composer in a plugin folder also but dont know much about it just that you want it restricted, remove .md, also second rule will accidentally catch some files which is why i had it as .|-. vs . to find files with . or -* after the names but with the names in the list i suppose it shouldnt matter and may even be safer your way catching more files

    I feel good about the changes above though

    Should it be case insensitive? ~* it would cover user error renaming files a bit but may interfer with other web functions more

  12. Zhang Huangbin repo owner

    Did some more testings, modified to:

    # Block access to default directories (except 'skins' and 'plugins') and files under these directories
    location ~ /(bin|config|installer|logs|program|public_html|SQL|temp|vendor)($|/.*) { deny all; }
    
    # Block access to default files under top-directory and files start with same name.
    location ~ /(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README.md|UPGRADING)($|.*) { deny all; }
    
    # Block plugin config files
    location ~ ^/plugins/.*/config.inc.php { deny all; }
    
    # Block access to plugin data
    location ~ /plugins/enigma/home($|/.*) { deny all; }
    
  13. exploitagency reporter

    Add a * to config.inc.php because it also ships with X-dist or .dist or aomething like that and people will see the defaults

    I was unsure if that file needed to be public or not

  14. Zhang Huangbin repo owner

    i saw composer in a plugin folder also but dont know much about it just that you want it restricted

    composer.json is used by program composer from command line.

    Drop the md off readme to cover it all

    Good catch.

    drop the tilde from 3rd block for /mail/plugins to be caught and place in misc.tmpl?

    misc.tmpl is used for general rules. For Roundcube, we define rules in roundcube.tmpl, not other tmpl files.

    Add a * to config.inc.php because it also ships with X-dist or .dist or aomething like that and people will see the defaults

    Good catch.

    After all these fixes, final setting:

    # Block access to default directories and files under these directories
    location ~ /(bin|config|installer|logs|public_html|SQL|temp|vendor)($|/.*) { deny all; }
    
    # Block access to default files under top-directory and files start with same name.
    location ~ /(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
    
    # Block plugin config files
    location ~ /plugins/.*/config.inc.php* { deny all; }
    
    # Block access to plugin data
    location ~ /plugins/enigma/home($|/.*) { deny all; }
    
  15. Zhang Huangbin repo owner

    I tested and works for me. it's always better to have another eye to take another look, i will wait for your test. Don't forget this after you arrived home :)

  16. Zhang Huangbin repo owner

    I don't understand this question.

    We will place all these location ... in /etc/nginx/templates/roundcube.tmpl (and roundcube-subdomain.tmpl). The order of misc.tmpl is another fix.

  17. Zhang Huangbin repo owner

    For /etc/nginx/templates/roundcube-subdomain.tmpl:

    # Block access to default directories and files under these directories
    location ~ /(bin|config|installer|logs|public_html|SQL|temp|vendor)($|/.*) { deny all; }
    
    # Block access to default files under top-directory and files start with same name.
    location ~ /(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
    
    # Block plugin config files
    location ~ /plugins/.*/config.inc.php* { deny all; }
    
    # Block access to plugin data
    location ~ /plugins/enigma/home($|/.*) { deny all; }
    

    For /etc/nginx/templates/roundcube.tmpl:

    # Block access to default directories and files under these directories
    location ~ /mail/(bin|config|installer|logs|public_html|SQL|temp|vendor)($|/.*) { deny all; }
    
    # Block access to default files under top-directory and files start with same name.
    location ~ /mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
    
    # Block plugin config files and sample config files.
    location ~ /mail/plugins/.*/config.inc.php.* { deny all; }
    
    # Block access to plugin data
    location ~ /mail/plugins/enigma/home($|/.*) { deny all; }
    
  18. exploitagency reporter

    Bold didnt work with that so made an edit

    Above covers /mail/config And /mail/directory/config

    I mean these files are just in theory and may never exist in roundcube but its there just in case. For second line its important i think

  19. exploitagency reporter

    I did it anyways and deleted the block from both roundcube templates and added it this to misc and it worked just declaring this all at once before either roundcube template file is loaded.

    misc.tmpl

    location ~ ^/.well-known/ {
        allow all;
        access_log off;
        log_not_found off;
        autoindex off;
        #alias /var/www/html;
    }
    
    # Deny all attempts to access hidden files such as .htaccess.
    location ~ /\. { deny all; }
    
    # Handling noisy messages
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt { access_log off; log_not_found off; }
    
    # Block access to default directories and files under these directories
    location ~ /(bin|config|installer|logs|public_html|SQL|temp|vendor)($|/.*) { deny all; }
    
    # Block access to default files under top-directory and files start with same name.
    location ~ /(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
    
    # Block plugin config files
    location ~ /plugins/.*/config.inc.php.* { deny all; }
    
    # Block access to plugin data
    location ~ /plugins/enigma/home($|/.*) { deny all; }
    

    But your way will work too as long as you make the changes below as composer.json and some other these other files and dirs are in subfolders occasionally.

    roundcube.tmpl

    # Block access to default directories and files under these directories
    location ~ /mail/.*(bin|config|installer|logs|public_html|SQL|temp|vendor)($|/.*) { deny all; }
    
    # Block access to default files under top-directory and files start with same name.
    location ~ /mail/.*(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
    
    # Block plugin config files and sample config files.
    location ~ /mail/plugins/.*/config.inc.php.* { deny all; }
    
    # Block access to plugin data
    location ~ /mail/plugins/enigma/home($|/.*) { deny all; }
    
  20. Zhang Huangbin repo owner

    I won't add them in misc.tmpl, because these rules may impact other web applications IF roundcube is not installed.

    What we're talking about is the location ... rules themselves, if it works fine, then this issue should be closed.

  21. exploitagency reporter

    Sounds fine to me but you should make this change then I will smile over it

    Thanks for being so proactive by the way!

    roundcube.tmpl

    # Block access to default directories and files under these directories
    location ~ /mail/.*(bin|config|installer|logs|public_html|SQL|temp|vendor)($|/.*) { deny all; }
    
    # Block access to default files under top-directory and files start with same name.
    location ~ /mail/.*(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
    
    # Block plugin config files and sample config files.
    location ~ /mail/plugins/.*/config.inc.php.* { deny all; }
    
    # Block access to plugin data
    location ~ /mail/plugins/enigma/home($|/.*) { deny all; }
    
  22. exploitagency reporter
    # Block access to default directories and files under these directories
    location ~ /mail(/|/.*/)(bin|config|installer|logs|public_html|SQL|temp|vendor)($|/.*) { deny all; }
    
    # Block access to default files under top-directory and files start with same name.
    location ~ /mail(/|/.*/)(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
    
    # Block plugin config files and sample config files.
    location ~ /mail/plugins/.*/config.inc.php.* { deny all; }
    
    # Block access to plugin data
    location ~ /mail/plugins/enigma/home($|/.*) { deny all; }
    
  23. Zhang Huangbin repo owner

    Also, after testing, i found that no need to rename /etc/nginx/sites-conf.d/default-ssl/99-include-tmpl-misc.conf to `/etc/nginx/sites-conf.d/default-ssl/0-include-tmpl-misc.conf.

    Could you please help test and confirm?

  24. Zhang Huangbin repo owner

    I modified it to be /mail(/|/.*/)

    I don't think we need this. Just /mail/ should be fine, not /mail(/|/.*/). There's no files/dirs like:

    • /mail/abc/bin/
    • /mail/abc/installer/
    • /mail/abc/logs/
  25. exploitagency reporter

    I can confirm that you still need to move it. Add a file ".test" in the root dir. You can still access it, now move the file as suggested and the rule is honored. This rule doesn't get honored if it doesn't load first

    # Deny all attempts to access hidden files such as .htaccess.
    location ~ /\. { deny all; }
    
  26. exploitagency reporter

    I'm happy either way. You've been excellent responding to the issue. It offers much improved security now and I hope you update both the stable release and the beta on the website once we come to a conclusion.

  27. exploitagency reporter

    But definitely rename the misc file to load first. Finding .htaccess files or other hidden stuff IMO is usually a flag that someone shouldn't be in that directory and then they snoop.

  28. Zhang Huangbin repo owner

    The access to dot files is successfully blocked when misc.tmpl is loaded as last include file.

    I can confirm that you still need to move it. Add a file ".test" in the root dir. You can still access it,

    I tried this, it's blocked. With debug enabled in Nginx, it says:

    2018/02/15 17:43:32 [debug] 3011#3011: *4 http request line: "GET /.htaccess HTTP/1.1"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 s:0 in:'2F:/'
    2018/02/15 17:43:32 [debug] 3011#3011: *4 s:1 in:'2E:.'
    2018/02/15 17:43:32 [debug] 3011#3011: *4 s:2 in:'68:h'
    2018/02/15 17:43:32 [debug] 3011#3011: *4 s:0 in:'74:t'
    2018/02/15 17:43:32 [debug] 3011#3011: *4 s:0 in:'61:a'
    2018/02/15 17:43:32 [debug] 3011#3011: *4 s:0 in:'63:c'
    2018/02/15 17:43:32 [debug] 3011#3011: *4 s:0 in:'63:c'
    2018/02/15 17:43:32 [debug] 3011#3011: *4 s:0 in:'65:e'
    2018/02/15 17:43:32 [debug] 3011#3011: *4 s:0 in:'73:s'
    2018/02/15 17:43:32 [debug] 3011#3011: *4 s:0 in:'73:s'
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http uri: "/.htaccess"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http args: ""
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http exten: ""
    2018/02/15 17:43:32 [debug] 3011#3011: *4 posix_memalign: 0000557120E72B60:4096 @16
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http process request header line
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http header: "Host: u16"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http header: "Connection: keep-alive"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http header: "Cache-Control: max-age=0"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http header: "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http header: "Upgrade-Insecure-Requests: 1"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http header: "DNT: 1"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http header: "Accept-Encoding: gzip, deflate, br"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http header: "Accept-Language: en-US,en;q=0.9,zh-TW;q=0.8,zh;q=0.7,zh-CN;q=0.6"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http header done
    2018/02/15 17:43:32 [debug] 3011#3011: *4 event timer del: 3: 1518687872014
    2018/02/15 17:43:32 [debug] 3011#3011: *4 generic phase: 0
    2018/02/15 17:43:32 [debug] 3011#3011: *4 rewrite phase: 1
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http script regex: "^/.well-known/caldav"
    2018/02/15 17:43:32 [notice] 3011#3011: *4 "^/.well-known/caldav" does not match "/.htaccess", client: 172.16.100.1, server: _, request: "GET /.htaccess HTTP/1.1", host: "u16"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http script regex: "^/.well-known/carddav"
    2018/02/15 17:43:32 [notice] 3011#3011: *4 "^/.well-known/carddav" does not match "/.htaccess", client: 172.16.100.1, server: _, request: "GET /.htaccess HTTP/1.1", host: "u16"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http script regex: "^/principals"
    2018/02/15 17:43:32 [notice] 3011#3011: *4 "^/principals" does not match "/.htaccess", client: 172.16.100.1, server: _, request: "GET /.htaccess HTTP/1.1", host: "u16"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: "/mail"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: "/favicon.ico"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: "/SOGo"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: "/Microsoft-Server-ActiveSync"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "^/iredadmin/static/(.*)"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "^/iredadmin(.*)"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "/mail/(bin|config|installer|logs|public_html|SQL|temp|vendor)($|/.*)"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "/mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*)"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "/mail/plugins/.*/config.inc.php*"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "/mail/plugins/enigma/home($|/.*)"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "^/mail/(.*\.php)$"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "^/mail/(.*)"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "^/sogo"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "^/SOGO"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "/netdata/(?<ndpath>.*)"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "\.php$"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "^/.well-known/"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 test location: ~ "/\."
    2018/02/15 17:43:32 [debug] 3011#3011: *4 using configuration "/\."
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http cl:-1 max:12582912
    2018/02/15 17:43:32 [debug] 3011#3011: *4 rewrite phase: 3
    2018/02/15 17:43:32 [debug] 3011#3011: *4 post rewrite phase: 4
    2018/02/15 17:43:32 [debug] 3011#3011: *4 generic phase: 5
    2018/02/15 17:43:32 [debug] 3011#3011: *4 generic phase: 6
    2018/02/15 17:43:32 [debug] 3011#3011: *4 generic phase: 7
    2018/02/15 17:43:32 [debug] 3011#3011: *4 access phase: 8
    2018/02/15 17:43:32 [debug] 3011#3011: *4 access phase: 9
    2018/02/15 17:43:32 [debug] 3011#3011: *4 access: 016410AC 00000000 00000000
    2018/02/15 17:43:32 [error] 3011#3011: *4 access forbidden by rule, client: 172.16.100.1, server: _, request: "GET /.htaccess HTTP/1.1", host: "u16"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http finalize request: 403, "/.htaccess?" a:1, c:1
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http special response: 403, "/.htaccess?"
    2018/02/15 17:43:32 [debug] 3011#3011: *4 http set discard body
    2018/02/15 17:43:32 [debug] 3011#3011: *4 xslt filter header
    2018/02/15 17:43:32 [debug] 3011#3011: *4 HTTP/1.1 403 Forbidden
    
  29. Zhang Huangbin repo owner

    I have only tested on .0.9.7 and it doesn't block file "/mail/.test" for me as 99-*

    I think it's caused by the improper Nginx rule for Roundcube we're working on. After this fix, could you try to load misc.tmpl as last one include?

  30. exploitagency reporter

    No I was wrong, I tested again, .htaccess and .test are still accessible when file is named 99-include-tmpl-misc.conf

    It should be named 0-include-tmpl-misc.conf

    Things in nginx only get denied when loaded before the things attempting to deny

  31. Zhang Huangbin repo owner

    I understand the order of rules matters. but i cannot reproduce this issue anymore after updated Roundcube rules.

    Could you double check your Nginx config files to make sure Roundcube rules are updated?

  32. exploitagency reporter

    I still have the same issue on .0.9.7 unless misc is loaded first all .* files are downloaded that arent in restricted folders by our new rules

    such as i can download /mail/.htaccess and /mail/.test

    because else the deny in the misc folder would be loaded after the roundcube templates and then be ineffective

  33. exploitagency reporter

    You could move that rule above both the roundcube templates if that makes you happier and it should work.

    # Deny all attempts to access hidden files such as .htaccess.
    location ~ /\. { deny all; }
    
  34. Log in to comment