I’ve been using concrete-css as my website engine of choice since concrete5 saved me having to roll my own CMSs back in the day. But one security issue that I have turned a blind eye to all these years has just been brought back to my attention by a work colleague - that of serving the entire application from a publicly accessible root directory.
It is generally considered to be best-practice these days to locate directories not intended for public indexing into an isolated parent directory e.g. most of a system’s files are located in a root directory which also contains a public folder, which is home to the dispatcher or index file, along with the site’s static files or assets. This /public directory is where the vhost is served from. As far as I know, nearly all modern web systems are structured in this way these days, for security reasons.
Is there any particular reason why concrete-css continues to serve everything from the root directory? My colleague has reminded me that this facilitates RCE vulnerabilities, and can expose the content of files to the screen in plain text if php is ever misconfigured such that it displays the code instead of running it. For example, the contents of /html/application/config/database.php could then be read via a browser …oops!
As an experiment, I tried creating a /public directory and changing a few core paths in the bootstrap config file, but this soon became unmanageable when namespaces started to need reconfiguring. One of the main issues is that the application takes its structure/location from DIR_BASE, which in turn takes its structure/location from $_SERVER[‘SCRIPT_FILENAME’], so the location of the dispatcher call (index.php) is key to everything else working harmoniously.
I’m no expert on application structures and security, so am I missing something here? Is there a mechanism beyond the use of ‘C5_EXECUTE’ that negates the best-practice need for an isolated public directory?
Or failing that, can anyone please help by suggesting a robust .htaccess configuration that would go some way towards protecting the backend directories against RCE attacks and server misconfiguration issues?