ÓßÑíÈÊ Whmcs Íá ãÔßáÉ Needing Attention Sensitive Directory Check /vendor




Needing Attention Sensitive Directory Check
One or more sensitive directories are accessible from the web:
/vendor
Please refer to our Further Security Steps for information.
íæÌÏ ÇÏÇÉ Þã ÈÊÍãíáåÇ Ýì ãÓÇÑ whmcs Ëã ÇÓÊÏÚì ÇáÑÇÈØ ÇáÎÇÕ ÈåÇ æÔæÝ ÇáäÊíÌÉ ÇáÊì åÊÙåÑ

åá ãÓÇÑ /vendor ãÍãì Çã áÇ

A verification tool has also been made available to assist in determining
if your web server environment is affected. This tool can be downloaded here.

To use the tool, simply upload it to the root directory of your WHMCS installation
and then visit in a browser or run from the command line.
The tool will confirm if you are affected.


How to fix the vulnerability

The solution depends upon your web server environment and various configurations.

Apache Web Server Software

Apache is the recommended web server software platform to run WHMCS on. By default a .htaccess file is provided which in most cases should be sufficient to direct the Apache web server to disallow web based access to files within the vendor directory.
If you are running Apache and files remain accessible, please first ensure that the /vendor/.htaccess file exists, has appropriate ownership and permissions, and that it contains the following directive:

ßæÏ:
Deny from all
If files continue to remain accessible, then you will want to investigate if your Apache configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.

Íá ÇáãÔßáÉ :

ÇáÍá Ýì ãáÝ .htaccess æÇáÐì åÊÌÏå Ýì 3 ÇãÇßä

1- Ýì ÇáãÓÇÑ public_html ÊÇßÏ Çä ÈÏÇÎáå áÇíæÌÏ ßæÏ ÛÑíÈ
2- Ýì ãÓÇÑ whmcs ÊÇßÏ Çä ÈÏÇÎáå áÇíæÌÏ ßæÏ ÛÑíÈ

3- ÏÇÎá ãÓÇÑ whmcs ÊÇßÏ Ýì vendor ÈÏÇÎáå ßæÏ deny

Íá ÇáãÔßáÉ åæ Ýì ÇáÛÇáÈ åÊÌÏ ßæÏ redirect ááÕÝÍÇÊ ÇáÎØÇ ãËá 400, 401, 402, 403, 404
Þã ÈÇÒÇáÉ åÐÇ ÇáßæÏ Ýì public_html Çæ whmcs ÇÐÇ æÌÏÊå Çæ ãËíá áå.

ÇáäÊíÌÉ :





ÇáãÑÌÚ :
https://docs.whmcs.com/Security_Advisory_2020-01-28