Close .tpl access with .htaccess

[WebWorker]

The index.php in the template directory only protects you if someone enters the root of a particular directory. However if they know the exact file name they are looking for, it is very possible that the contents of the file will be output into the browser. Particularly for Smarty .tpl files.

I only thought about this because I saw that someone had found my website using the phrase "Powered by WHMCS" coupled with the fact that it seems that many are using the Smarty {php} tag (not recommended by Smarty authors btw) which could include sensitive information.

Anyway the fix is simple, here is the quick way if you are using an apache server with .htaccess enabled.

Put this into your .htaccess file in the web root of your site.

Code:

<Files ~ "\.tpl$">
Order allow,deny
Deny from all
</Files>

[redrat]

That's very useful. Thanks.

[sparky]

If you search the forums you would have found that this has been already posted a few times
http://forum.whmcs.com/showthread.php?p=71423#post71423
http://forum.whmcs.com/showthread.php?p=81891#post81891

[WebWorker]

Considering I just googled someone's template files, I think it is worth mentioning. Glad there are other people who think this is an important fix.

[inverter]

You can also control this to a point in your robots.txt if the search engine bot uses robot rules.

robots.txt
-------------------------------
User-agent: *
Disallow: /*.tpl$
-------------------------------

without the --------- lines

Quote:

Originally Posted by WebWorker

The index.php in the template directory only protects you if someone enters the root of a particular directory. However if they know the exact file name they are looking for, it is very possible that the contents of the file will be output into the browser. Particularly for Smarty .tpl files.

I only thought about this because I saw that someone had found my website using the phrase "Powered by WHMCS" coupled with the fact that it seems that many are using the Smarty {php} tag (not recommended by Smarty authors btw) which could include sensitive information.

Anyway the fix is simple, here is the quick way if you are using an apache server with .htaccess enabled.

Put this into your .htaccess file in the web root of your site.

Code:

<Files ~ "\.tpl$">
Order allow,deny
Deny from all
</Files>

[openmind]

Anyone got the equivalent for doing this in IIS?

[WebWorker]

I thought IIS 6.0 blocks unknown file extensions by default and you had to specify if you wanted to allow a file extension.

Check this by browsing to your template directory in your browser : http://yourdomain.com/whmcs/template...ult/banned.tpl and see if you can see the template contents.

[openmind]

Yes you are quite right, I had a brain fart and completely forgot this...

[mylove4life]

about about 7, is there any new stuff that helps even more?

[WebWorker]

It's not a matter of helping more or not. Simply perform the test that I illustrated a couple messages above and see if you can browse your way to one of your site's templates. If you can see the template code as text then you need to close this hole. If you cannot see the template code then you are as helped as possible.

Code:

http://yourdomain.com/whmcs/templates/default/banned.tpl

PS. The only IIS users that would be affected is 5 and below. In IIS 6 and higher they blocked access to most filetypes by default and you would only need to worry about this if something you changed on the IIS server allowed you to browse to the URL example I provided above.

[Roger]

Quote:

Originally Posted by mylove4life

about about 7, is there any new stuff that helps even more?

IIS7 is a totally different animal... even the admin interface guii. I've only seen it in some training with no hands on. So I can't be more specific.

[pure|ws]

Will this htacess setting prevent access on the tpl files on a https?

[WebWorker]

Yes it does. I think it would be a more complicated rule to make it only apply to http vs https.

[WebWorker]

Quote:

Originally Posted by inverter

You can also control this to a point in your robots.txt if the search engine bot uses robot rules.

The rule in .htaccess will block access from browsers or bots. Not all search bots follow the rules you place in robots.txt either

Personally I'm somewhat hesitant to place rules in robot.txt for files that I am trying to obscure. Anyone can read this robots.txt file and gain insight into what you are trying to protect, although security via obscurity really is a bad policy to begin with.

[pure|ws]

Quote:

Originally Posted by WebWorker

Yes it does. I think it would be a more complicated rule to make it only apply to http vs https.

It does not appear to be.
If I use http, it blocks it but if I am over my https, the contents of the .tpl files are being displayed.