Status Code 200 error in uploads folder

manuelruizp84manuelruizp84
in Security
Hello there,

I'm getting this error in my version 23 installation.

The system check has detected that your uploads folder is returning a 200 status code, which indicates that it is publicly accessible. This suggests a serious issue in your server configuration that should be addressed immediately. Please visit our Post-Install and Server Config page for instructions to fix this issue.

I followed all the steps but I'm still stuck... What I don't understand is that the 200 status code is supposed to be a "success" status code... :/

Any suggestions?

Comments

  • sandrasandra
    Hi Manuel, we added this check into v23 to help identify security issues where your uploads folder might be web-accessible, which can be serious because it means anyone on the internet could access uploaded files. If you open your web browser, go to your Gibbon url + /uploads (for my test system, it's http://localhost:8888/uploads). You should see a 403 Forbidden or a 404 Not Found, which would indicate that your uploads folder is secure. If you can see a list of files in the folder, this means your system has directory Indexes turned on, which will need to be turned off to secure your files.
  • manuelruizp84manuelruizp84
    I was already getting this on my browser: https://gibbon.cbc.edu.do/uploads

    Forbidden
    You don't have permission to access this resource.

    Apache/2.4.41 (Ubuntu) Server at gibbon.cbc.edu.do Port 443

    So I guess everything is set but in my own installation, but Gibbon still giving this warning... Guess the Gibbon system check needs a few tweaks there.
  • QualitymixQualitymix
    If you head to your apache2 config file, there is an option that you can remove that fixes this issue. It's called folder indexing and is typically found here:
    /etc/apache2/apache2.conf

    The lines you're looking for are these: 
    
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    You want it to look like this:

    Options FollowSymLinks AllowOverride None Require all granted

    ...So you remove the indexing feature.
    manuelruizp84
  • QualitymixQualitymix
    There is apparently no easy way to show < > tags in this forum! So here we go again:
    Replace this:

    < Directory /var/www/ >
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
    < /Directory >

    With this:

    < Directory /var/www/ >
    Options FollowSymLinks
    AllowOverride None
    Require all granted
    < /Directory >

    I had to add spaces to the < >, so make sure you're not copying and pasting from here. Just remove the word Indexes!
    manuelruizp84
  • manuelruizp84manuelruizp84
    Qualitymix,

    thank you!!!!!!!!!!!!

    It's working fine now!
    Qualitymix
  • manuelruizp84manuelruizp84
    Yes, I found it!!! restarted apache2 service and WALAH! No warnings from Gibbon... Just needed to remove the word "indexes". Thanks!! Last week has been really the longest time that I spent using and setting up Linux (normally a Windows user)... And so far, learning a LOT. Thanks!!
    Qualitymix
  • sandrasandra
    Thanks for the instructions Qualitymix, I'll update our documentation for this process so that it's more clear and includes these instructions for Apache : )
Sign In or Register to comment.