這一討論區的貼文已經被移除
Number of replies: 6Re: Moodle 4.0 Security Report: Check all public / private paths errors
Hi Bec,
The files listed as failing there look like those that should be hidden to avoid revealing things like files only relevant to developers and/or those that make it easier to "fingerprint" the site (identify information about the site such as the exact Moodle version). I think in this case, it is not a matter of directory/file permissions, but rather that the web server just needs to be configured to hide those internal paths. You mentioned your web server is IIS, so you should be able to achieve this by following the IIS hiding internal paths documentation - hopefully that will remove all of those errors.
In case anyone using a different web server finds this discussion while searching for solutions to the same errors, the following are the equivalent docs for Apache and Nginx:
這一討論區的貼文已經被移除
Re: Moodle 4.0 Security Report: Check all public / private paths errors
Hi,
I have a similar problem on my home server. I want to use Wordpress and Moodle together, and the RewriteRule solution used to solve the paths Security problem in Moodle seems to create a conflict between the two programs. If I add the RewriteRule lines in httpd.conf, that solves the paths Security problem in Moodle but creates a blank page in WordPress when I try to modify the site or add page, article, media. If I remove the RewriteRule lines in httpd.conf, Wordpress run perfectly but Moodle show the paths errors.
I have seen nothing
about this kind of conflict between these two programs in Internet. I have tried
to move moodle folder in wordpress folder with redirections in the
configuration files, including mariadb database, without result. I have tried
to put the RewriteRule lines in a .htaccess file in moodle folder, without
result. As I said, Wordpress and Moodle runs perfectly according to whether I insert
or remove the RewriteRule lines in httpd.conf. Why?
Thanks for your help.
My program versions :
Windows 10 Professionel, version 21H2
Apache 2.4.54, php8.0.21, MariaDB 10.6.8, HeidiSQL 11.3.0.6295, moodle 4.0.2, wordpress 6.0.2
My folder installation :
C:/serveur/Apache24
C:/serveur/mariadb
C:/serveur/moodle
C:/serveur/php8
C:/serveur/wordpress
C:/data/mariadb
C:/data/moodledata
My httpd.conf configuration :
SRVROOT ‘’C:/serveur/Apache24’’
Listen 80
ServerName localhost:80
AllowOverride None (in Directory)
DocumentRoot ‘‘c:/serveur’’
Directory ‘’c:/serveur’’
Options –Indexes –FollowSymLinks
DirectoryIndex index.php index.html
My php.ini configuration :
doc_root = ‘’C:/serveur’’
My Moodle config.php configuration :
$CFG->wwwroot = ’http://localhost/moodle’ ;
$CFG->dataroot = ‘C:\\data\moodledata’ ;
$CFG->directorypermissions = 0777;
$CFG->preventexecpath = true;
Re: Moodle 4.0 Security Report: Check all public / private paths errors
.htaccess in Wordpress :
# BEGIN WordPress RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
httpd.conf :
# This sends all missing files to moodle to render nicely, see MDL-56041
ErrorDocument 404 /error/index.php
ErrorDocument 403 /error/index.php?code=404
RewriteEngine On
RewriteRule "(\/vendor\/)" - [F]
RewriteRule "(\/node_modules\/)" - [F]
RewriteRule "(^|/)\.(?!well-known\/)" - [F]
RewriteRule "(composer\.json)" - [F]
RewriteRule "(\.lock)" - [F]
RewriteRule "(\/environment.xml)" - [F]
RewriteRule "(\/install.xml)" - [F]
RewriteRule "(\/README)" - [F]
RewriteRule "(\/readme)" - [F]
RewriteRule "(\/moodle_readme)" - [F]
RewriteRule "(\/upgrade\.txt)" - [F]
RewriteRule "(phpunit\.xml\.dist)" - [F]
RewriteRule "(\/tests\/behat\/)" - [F]
RewriteRule "(\/fixtures\/)" - [F]
Re: Moodle 4.0 Security Report: Check all public / private paths errors
I partially solved the conflict issue between WordPress and Moodle. I don't know why, a line of code RewriteRule related to Moodle in httpd.conf harms the functioning of WordPress: it is RewriteRule ”(\/vendor\/)” – [F]. This line disables certain features in WordPress, such as "Edit Site", or "Create" a post, media file, page (a blank page appears). By disabling this line, WordPress works normally. It remains to be seen what is the impact for Moodle of disabling this line. And in accordance with the recommendation of the Apache site, I added the content of .htaccess in httpd.conf. Here are the changes made.
After DocumentRoot and Directory in httpd.conf :
RewriteEngine On
RewriteRule
Etc…
# END WordPress
# At the end of httpd.conf :
ErrorDocument 404 /error/index.php
ErrorDocument 403 /moodle/error/index.php?code=404
RewriteEngine On
# RewriteRule "(\/vendor\/)" - [F]
RewriteRule "(\/node_modules\/)" - [F]
RewriteRule "(^|/)\.(?!well-known\/)" - [F]
Etc…
Hope it can be useful to some...
Re: Moodle 4.0 Security Report: Check all public / private paths errors
In summary, enabling the RewriteRule line that contains “vendor” in httpd.conf invalidates certain functionalities in WordPress on my home server. Several “vendor” folders exist in the WordPress and Moodle directories: one folder in c:/server/wordpress and three folders in c:/server/moodle.
C:/server/wordpress/wp-includes/js/dist/vendor
C:/server/moodle/lib/phpspreadsheet/vendor
C:/server/moodle/theme/boost/scss/bootstrap/vendor
C:/server/moodle/auth/cas/CAS/vendor
I added in httpd.conf the three paths that lead to the “vendor” folder in Moodle. WordPress and Moodle are now working fine.
RewriteRule "(\/vendor\/)" - [F]
becomes:
RewriteRule "(\/moodle/lib/phpspreadsheet/vendor\/)" - [F]
RewriteRule "(\/moodle/theme/boost/scss/bootstrap/vendor\/)" - [F]
RewriteRule "(\/moodle/auth/cas/cas/vendor\/)" - [F]