File web.config - Could we delete the file #5809

ir0nb1t · 2024-09-20T13:56:56Z

ir0nb1t
Sep 20, 2024

Hi,
we have Chamilo 1.11.26 a security analyst report to us that he can access to file web.config (domain-chamilo.com/web.config) and report as information disclosure,
What is the function of the file web.config?
this file can be delete or how can we restrict the access to that file.

Answered by ywarnier

Oct 22, 2024

Yes, you can totally delete this file or restrict access to it. In v1.11.28 (just released) we have added a restriction in the root .htaccess

<Files "web.config">
  Require all denied
</Files>

So that if Chamilo is served by Apache, it will prevent access to this file (which is only used for IIS anyway).

View full answer

ywarnier · 2024-10-22T08:33:15Z

ywarnier
Oct 22, 2024
Maintainer

Yes, you can totally delete this file or restrict access to it. In v1.11.28 (just released) we have added a restriction in the root .htaccess

<Files "web.config">
  Require all denied
</Files>

So that if Chamilo is served by Apache, it will prevent access to this file (which is only used for IIS anyway).

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

File web.config - Could we delete the file #5809

{{title}}

Replies: 1 comment

{{title}}

Select a reply

File web.config - Could we delete the file #5809

ir0nb1t Sep 20, 2024

Replies: 1 comment

ywarnier Oct 22, 2024 Maintainer

ir0nb1t
Sep 20, 2024

ywarnier
Oct 22, 2024
Maintainer