Status Code 200 error in uploads folder

Hello there,

I'm getting this error in my version 23 installation.

The system check has detected that your uploads folder is returning a 200 status code, which indicates that it is publicly accessible. This suggests a serious issue in your server configuration that should be addressed immediately. Please visit our Post-Install and Server Config page for instructions to fix this issue.

I followed all the steps but I'm still stuck... What I don't understand is that the 200 status code is supposed to be a "success" status code... :/

Any suggestions?

Comments

  • Hi Manuel, we added this check into v23 to help identify security issues where your uploads folder might be web-accessible, which can be serious because it means anyone on the internet could access uploaded files. If you open your web browser, go to your Gibbon url + /uploads (for my test system, it's http://localhost:8888/uploads). You should see a 403 Forbidden or a 404 Not Found, which would indicate that your uploads folder is secure. If you can see a list of files in the folder, this means your system has directory Indexes turned on, which will need to be turned off to secure your files.
  • I was already getting this on my browser: https://gibbon.cbc.edu.do/uploads

    Forbidden
    You don't have permission to access this resource.

    Apache/2.4.41 (Ubuntu) Server at gibbon.cbc.edu.do Port 443

    So I guess everything is set but in my own installation, but Gibbon still giving this warning... Guess the Gibbon system check needs a few tweaks there.
  • If you head to your apache2 config file, there is an option that you can remove that fixes this issue. It's called folder indexing and is typically found here:
    /etc/apache2/apache2.conf

    The lines you're looking for are these:
    
            Options Indexes FollowSymLinks
            AllowOverride None
            Require all granted
    
    You want it to look like this:

    Options FollowSymLinks AllowOverride None Require all granted

    ...So you remove the indexing feature.
    manuelruizp84
  • There is apparently no easy way to show < > tags in this forum! So here we go again:
    Replace this:

    < Directory /var/www/ >
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
    < /Directory >

    With this:

    < Directory /var/www/ >
    Options FollowSymLinks
    AllowOverride None
    Require all granted
    < /Directory >

    I had to add spaces to the < >, so make sure you're not copying and pasting from here. Just remove the word Indexes!
    manuelruizp84
  • Qualitymix,

    thank you!!!!!!!!!!!!

    It's working fine now!
    Qualitymix
  • Yes, I found it!!! restarted apache2 service and WALAH! No warnings from Gibbon... Just needed to remove the word "indexes". Thanks!! Last week has been really the longest time that I spent using and setting up Linux (normally a Windows user)... And so far, learning a LOT. Thanks!!
    Qualitymix
  • Thanks for the instructions Qualitymix, I'll update our documentation for this process so that it's more clear and includes these instructions for Apache : )
Sign In or Register to comment.