Like many worldwide, the recent ownCloud vulnerabilities got us worried as security professionals and tool authors. According to this blog, the vulnerability was caused by a test file in the vendor directory.
@symfonystation The real issue here is that too many PHP applications are not configured to work with a single PHP entrypoint, instead, they enable any dot php file to be served. This is criminal often, specially on nginx where you can't ship these rules like Apache (an .htaccess file on web root) and users share their own rules without realizing the hazardous conditions.
Add comment