The index.php in the template directory only protects you if someone enters the root of a particular directory. However if they know the exact file name they are looking for, it is very possible that the contents of the file will be output into the browser. Particularly for Smarty .tpl files.

I only thought about this because I saw that someone had found my website using the phrase "Powered by WHMCS" coupled with the fact that it seems that many are using the Smarty {php} tag (not recommended by Smarty authors btw) which could include sensitive information.

Anyway the fix is simple, here is the quick way if you are using an apache server with .htaccess enabled.

Put this into your .htaccess file in the web root of your site.


<Files ~ "\.tpl$">
Order allow,deny
Deny from all
</Files>

That's very useful. Thanks. :)

If you search the forums you would have found that this has been already posted a few times
http://forum.whmcs.com/showthread.php?p=71423#post71423
http://forum.whmcs.com/showthread.php?p=81891#post81891

Considering I just googled someone's template files, I think it is worth mentioning. Glad there are other people who think this is an important fix.

You can also control this to a point in your robots.txt if the search engine bot uses robot rules.

robots.txt
-------------------------------
User-agent: *
Disallow: /*.tpl$
-------------------------------

without the --------- lines


The index.php in the template directory only protects you if someone enters the root of a particular directory. However if they know the exact file name they are looking for, it is very possible that the contents of the file will be output into the browser. Particularly for Smarty .tpl files.

I only thought about this because I saw that someone had found my website using the phrase "Powered by WHMCS" coupled with the fact that it seems that many are using the Smarty {php} tag (not recommended by Smarty authors btw) which could include sensitive information.

Anyway the fix is simple, here is the quick way if you are using an apache server with .htaccess enabled.

Put this into your .htaccess file in the web root of your site.


<Files ~ "\.tpl$">
Order allow,deny
Deny from all
</Files>

Anyone got the equivalent for doing this in IIS?

I thought IIS 6.0 blocks unknown file extensions by default and you had to specify if you wanted to allow a file extension.

Check this by browsing to your template directory in your browser : http://yourdomain.com/whmcs/templates/default/banned.tpl and see if you can see the template contents.

Yes you are quite right, I had a brain fart and completely forgot this... ;)

about about 7, is there any new stuff that helps even more?

It's not a matter of helping more or not. Simply perform the test that I illustrated a couple messages above and see if you can browse your way to one of your site's templates. If you can see the template code as text then you need to close this hole. If you cannot see the template code then you are as helped as possible.


http://yourdomain.com/whmcs/templates/default/banned.tpl


PS. The only IIS users that would be affected is 5 and below. In IIS 6 and higher they blocked access to most filetypes by default and you would only need to worry about this if something you changed on the IIS server allowed you to browse to the URL example I provided above.

about about 7, is there any new stuff that helps even more?

IIS7 is a totally different animal... even the admin interface guii. I've only seen it in some training with no hands on. So I can't be more specific.

Will this htacess setting prevent access on the tpl files on a https?

Yes it does. I think it would be a more complicated rule to make it only apply to http vs https.

You can also control this to a point in your robots.txt if the search engine bot uses robot rules.

The rule in .htaccess will block access from browsers or bots. Not all search bots follow the rules you place in robots.txt either ;)

Personally I'm somewhat hesitant to place rules in robot.txt for files that I am trying to obscure. Anyone can read this robots.txt file and gain insight into what you are trying to protect, although security via obscurity really is a bad policy to begin with.

Yes it does. I think it would be a more complicated rule to make it only apply to http vs https.

It does not appear to be.
If I use http, it blocks it but if I am over my https, the contents of the .tpl files are being displayed.

It definitely works on this end. If you like you can post your htaccess code or PM me with it and I will help you figure out what's going on.

Have you entered it ino the .htaccess file in the root directory, or one in the folder where the tpl files are?

You can have a .htaccess file in every directory, and it is a good way to have different rules throughout your site... (without having a mega complext top level one anyway).

Try placing a .htaccess file into your template directory with the following in it...



<Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>


This should prevent the issue with https:// still allowing access to them

Additionally, you should ensure that you still have a blank index file in every directory, unless of course there is one that actually is needed to display stuff.

This will prevent people seeing the actual list of files within the directory. I know it's a basic website requirement, but some people can miss it!!

Additionally, you should ensure that you still have a blank index file in every directory, unless of course there is one that actually is needed to display stuff.
This will prevent people seeing the actual list of files within the directory. I know it's a basic website requirement, but some people can miss it!!

You can also shut of indexing by default on the entire server, something we do for all of ours. If someone wants to display an index, we allow overrides.

Very true....

Swings and roundabouts really, boils down to prefference.... mine is blank index files.

Well, I say blank, I did go through a phase of having my directories have a 'You shouldn't be in here' type of file, with an advert on.....

But I got bored of it, lol. :)

This is also configurable from the .htaccess file using the options -indexes line

Here is the top of my .htaccess file located at the webroot of my site:


RewriteEngine On
Options -Indexes

<Files ~ "\.tpl$">
Order allow,deny
Deny from all
</Files>

Since we're building on this, if you have more than one file type to deny, use this:

<Files ~ "\.(tpl|bak|old)$">
Order allow,deny
Deny from all
</Files>
Many folks working in shell will rename a file "bak" or "old" to move it out of the way and preserve the pre-change version. If you don't deny tpl, for instance, and rename one as "xx.tpl.bak"...Apache will serve it as text, usually, just as if you hadn't blocked direct access. ;)

Oh, and earlier in this thread someone gave "*.tpl". Don't use that, as it won't work properly. "." has special meaning "one character"...you need to escape it with the slash to have it work. Chances are pretty good that "*.tpl" will cause a 500 error.

Why not just put a redirect on the header.tpl footer.tpl and style.css files? Lol... Sounds easier.

Have you actually tried that? If so, what happened?
A redirect on those will probably cause things to break, and it's more than just those three at risk. Have a look at your templates directory and count how many files are in there.

Just wanted to mention that best practice in programming is to not have duplicate code when you can keep it in a central location.

Editing one .htaccess file beats out having to edit multiple .tpl files.

Bear's suggestion of having the rule affect multiple file types makes this even more powerful.

Thankyou for this.

I had previously not considered this but this has been a great help and now completely covers up my tpl files :)

Thank you for this info

This still does not work for me on https. :?

Accessing the .tpl file over http is not allowed but if I switch to use https, lo and behold, the tpl contents are exposed.

Sorry to hear you're still having a problem, I'm fairly confident that one rule is all you need. If you need some more advanced help please provide your .htaccess file and what type of web server you're running.

This still does not work for me on https. :?

Accessing the .tpl file over http is not allowed but if I switch to use https, lo and behold, the tpl contents are exposed.

If it's the site in your signature, that appears to be running on Plesk? It's been a while since I've used that CP, but if I remember right the httpdocs and httpS doc folder is on the same level, requiring duplicate copies of your files? Did you also duplicate the htaccess file in the secure directory?

/
../httpdocs
..../site_files
..../.htaccess
../httpsdocs
..../secure_site_files
..../??

Was going to point out the same thing bear.

We have LOADS of customers who that catches out. Parallels (especially Plesk/Virtuozzo) sure know how to make life complicated :roll:

Domain section or the actual Domain anyone!!!!

It does not appear to be.
If I use http, it blocks it but if I am over my https, the contents of the .tpl files are being displayed.

I just checked ours on both http and https and it blocked both with the code from this thread..

So I can only assume it's your server config?

Ben

Thanks for all the help so far but this thing is driving me nuts.
Our WHMCS install is not on a Plesk CP. It's on a bare LAMP.
Let me try a couple of settings and see how it goes.
If this fails, I may need to start sending PMs to some of you here :)

It took a little bit of experimentation but in the end, we ended up modifying the ssl.conf file with the directives posted in this thread.

We are good now. I just don't want to leave our issue on this topic open.Thanks everyone!

This still does not work for me on https. :?

Accessing the .tpl file over http is not allowed but if I switch to use https, lo and behold, the tpl contents are exposed.

I use https, and I get a 403, as intended.

I have a strange problem with this addon. It works great on my older WHMCS site that has been upgraded to 4.1.2 but not on a brand new 4.1.2 install for a different site on the same server. I can add the namespinner.tpl and the {include file="namespinner.tpl"} line to everything except for the configureproductdomain.tpl file - if I add that line to that file all of the CSS formatting goes away and completely ruins the look of the cart when I try to look up a domain name. Any idea why?

In configureproductdomain.tpl try it this way

{include file="$template/namespinner.tpl"}

That fixed it !!!!

Thank you.

Thanks for this - never considered this until now

You can also control this to a point in your robots.txt if the search engine bot uses robot rules.

robots.txt
-------------------------------
User-agent: *
Disallow: /*.tpl$
-------------------------------

without the --------- lines
Google doesn't accept wildcards [ * ]

...and robots.txt doesn't prevent anything from accessing, it merely suggests not to spider it to those bots that listen. Disallow via other means keeps them from even seeing it, rather than calling attention to their existence.

Does anyone know if i have wordpress v 3.0 can I put
<Files ~ "\.tpl$">
Order allow,deny
Deny from all
</Files>
at the top of the wordpress stuff with out effecting anything?

in wordpress there are no tpl files. so this would not effect your wp installation.

in wordpress there are no tpl files. so this would not effect your wp installation.

Great thanks