Whmcs Needing Attention Sensitive Directory Check /vendor

Needing Attention Sensitive Directory Check
One or more sensitive directories are accessible from the web:
Please refer to our Further Security Steps for information.


A verification tool has also been made available to assist in determining
if your web server environment is affected. This tool can be downloaded here.

To use the tool, simply upload it to the root directory of your WHMCS installation
and then visit in a browser or run from the command line.
The tool will confirm if you are affected.

How to fix the vulnerability

The solution depends upon your web server environment and various configurations.

Apache Web Server Software

Apache is the recommended web server software platform to run WHMCS on. By default a .htaccess file is provided which in most cases should be sufficient to direct the Apache web server to disallow web based access to files within the vendor directory.
If you are running Apache and files remain accessible, please first ensure that the /vendor/.htaccess file exists, has appropriate ownership and permissions, and that it contains the following directive:

Deny from all
If files continue to remain accessible, then you will want to investigate if your Apache configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.


.htaccess 3

1- public_html
2- whmcs

3- whmcs vendor deny

redirect 400, 401, 402, 403, 404
public_html whmcs .