404 for the `pup` directory

  • Resolved Oleg Meglin

    (@omeglin)


    1 year, 11 months ago

    Hello guys,

    I recently do a lot of pentesting. One thing I noticed about websites with installed W3 Total Cache Plugin is that the path “wp-content/plugins/w3-total-cache/pub/” returns the status code 200 with a blank site.

    Is there a special reason for this? I would prefer if there was a 404 status code instead. Can you please schedule that for the next release?

    Thanks very much.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @omeglin

    Thank you for reaching out.
    I’ve tested this and I am getting the 403 response. So there is no 200 response.

    Can you please share you website URL so I can check this?

    Thanks!

    Thread Starter Oleg Meglin

    (@omeglin)

    Hi @vmarko,

    thank you for your reply.

    To reproduce, I just installed a complete flesh WordPress System with only W3 Total Cache installed and configured. I get the same behavior as with the other sites with this plugin.

    Here is the demo installation:
    https://demo.megl.in/wp-content/plugins/w3-total-cache/pub/

    Let me know if you need any further information.

    EDIT: I checked the “.htaccess” file. It seems to be complete.

    • This reply was modified 1 year, 11 months ago by Oleg Meglin.
    • This reply was modified 1 year, 11 months ago by Oleg Meglin.
    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @omeglin

    Thank you for your feedback.
    As mentioned before, I was not able to reproduce this. I am always getting the 403. I”ll check this more and get back to you.

    Thanks!

    Thread Starter Oleg Meglin

    (@omeglin)

    Hi @vmarko

    did you test it on a fresh installation or just on an existing one? Do you have any additional .htaccess rules that are not set by default?

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @omeglin

    Yes, I’ve double-checked everything in both nginx and apache env.
    I am still testing more. Can you please share what the files/folder permissions on your server are?

    Thanks!

    Thread Starter Oleg Meglin

    (@omeglin)

    Hi @vmarko,

    the files/folder permissions are the recommended one:

    • directory permissions 755
    • file permissions 644
    • This reply was modified 1 year, 11 months ago by Oleg Meglin.
    • This reply was modified 1 year, 11 months ago by Oleg Meglin.
    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @omeglin

    I cannot seem to replicate the issue so it must be related to the apache config.
    I’ll try digging some more. I am still getting the 403 checking any w3tc folder.

    Thanks!

    Thread Starter Oleg Meglin

    (@omeglin)

    How can this be due to the Apache config? If you have taken steps to block the path, then the path should be blocked. Nothing special is defined in my Apache configuration. Directory listing is of course disabled.

    I’ve now looked at it myself in detail. I recognized the following:

    • You have an empty index.html file in the directory.
    • I can’t find a .htaccess file in the plugin directory that restricts access.
    • In the WordPress main .htaccess file, no rule is included that restricts access.

    This means that all the requirements are met for an empty page to be returned with status code 200. In this case my Apache server is behaving correctly. I’m going to assume that your test environment has a special Apache configuration because it’s not behaving normally.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘404 for the `pup` directory’ is closed to new replies.