Should /docs folder be deleted during install or update?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
User avatar
P_I
Registered User
Posts: 924
Joined: Tue Mar 01, 2011 8:35 pm
Location: Calgary
Contact:

Should /docs folder be deleted during install or update?

Post by P_I » Tue May 07, 2019 12:36 pm

phpBB packages ship with a /docs folder included that has helpful information for the admin/installer, including a phpBB 3.2.x Changelog.

The update instructions, Knowledge Base - Updating 3.2.x, make no mention of whether or not the /docs folder should be uploaded. In fact, Step 7 states: Via FTP or SSH upload the remaining files and folders (that is, the remaining CONTENTS of the phpBB3 folder) to the root folder of your board installation on the server, overwriting the existing files. (Note: take care not to delete any extensions in your /ext folder when uploading the new phpBB3 contents.)

I note that docs returns "You don't have permission to access /community/docs/ on this server." so it appears the folder exists here but something in the server configuration is blocking access, although if you know the structure of the /docs folder, you can see the files exist and can be loaded, as in the example of the phpBB 3.2.x Changelog above.

A two part question,
  1. Should the /docs folder be accessible on a forum?
  2. If not, should the Updating 3.2.x instructions be changed so instruct the admin NOT to upload the /docs folder
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21153
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - definitely

Re: Should /docs folder be deleted during install or update?

Post by Mick » Tue May 07, 2019 12:50 pm

They’re for reference and don’t take up much room why would you want to delete them?
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
P_I
Registered User
Posts: 924
Joined: Tue Mar 01, 2011 8:35 pm
Location: Calgary
Contact:

Re: Should /docs folder be deleted during install or update?

Post by P_I » Tue May 07, 2019 1:02 pm

The first thought was they serve no purpose to the end-user (members and guests) and are really only useful to an admin, so why put them up on the server. Based on checking a number of other phpBB sites, it seems hit and miss whether admins have uploaded this folder, so I thought I'd seek out 'best practices' here by asking the question.

There is also a security angle. I was discussing with a co-admin and the fact that the Changelog provides an easy method to detect the phpBB version was somewhat of a concern for security reasons. Particularly since phpBB 3.2.5 is now known to have open security issues which were disclosed in the phpBB 3.2.6 announcement. BTW, I know there are other methods to view phpBB source files that can yield the phpBB version, so this won't completely solve the issue.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

User avatar
david63
Registered User
Posts: 16190
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Should /docs folder be deleted during install or update?

Post by david63 » Tue May 07, 2019 2:29 pm

P_I wrote:
Tue May 07, 2019 1:02 pm
I was discussing with a co-admin and the fact that the Changelog provides an easy method to detect the phpBB version was somewhat of a concern for security reasons
And just how is anybody going to access that file on the server? If they can then I would have far greater concerns about the server security than knowing which version of phpBB I was using.

Just for the record I either delete them or don't upload them - and that goes for any software package.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
P_I
Registered User
Posts: 924
Joined: Tue Mar 01, 2011 8:35 pm
Location: Calgary
Contact:

Re: Should /docs folder be deleted during install or update?

Post by P_I » Tue May 07, 2019 2:48 pm

david63 wrote:
Tue May 07, 2019 2:29 pm
And just how is anybody going to access that file on the server?
docs/CHANGELOG.html reveals this forum is running on phpBB 3.2.7. Another example, http://area51.phpbb.com/phpBB/docs/CHANGELOG.html confuses the version issue, but demonstrates that although the /docs directory listing isn't available, knowing the file names that could exist in the directory allows one to access files in that directory.
david63 wrote:
Tue May 07, 2019 2:29 pm
Just for the record I either delete them or don't upload them - and that goes for any software package.
I'm inclined to agree as I don't see any end-user need for having the /docs folder on the server. Which leads back to my original question(s) since following the official (knowledge base) instructions is the best approach to successful updating and operating a phpBB forum.
P_I wrote:
Tue May 07, 2019 12:36 pm
A two part question,
  1. Should the /docs folder be accessible on a forum?
  2. If not, should the Updating 3.2.x instructions be changed so instruct the admin NOT to upload the /docs folder
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

User avatar
WelshPaul
Registered User
Posts: 299
Joined: Tue Aug 19, 2014 2:09 pm

Re: Should /docs folder be deleted during install or update?

Post by WelshPaul » Tue May 07, 2019 3:43 pm

Just don't upload the docs directory - That's how i've been doing it since 2006.

User avatar
3Di
Former Team Member
Posts: 13791
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Should /docs folder be deleted during install or update?

Post by 3Di » Tue May 07, 2019 8:21 pm

The phpBB version can easily be spoofed by the style.cfg file of a template.
And you can't hide such file. ;)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

Lady_G
Registered User
Posts: 227
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: Should /docs folder be deleted during install or update?

Post by Lady_G » Wed May 08, 2019 2:56 am

I always delete my /docs folder.

Those files are part of the install package and have no functional purpose after the installation has completed. I think it is good programming practice to remove non-functioning code - which includes documentation.

User avatar
John connor
Registered User
Posts: 2118
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Should /docs folder be deleted during install or update?

Post by John connor » Wed May 08, 2019 6:02 am

I was wondering this myself, and as a slight security issue it would be prudent to just remove them.

Edit-

And wow! I see a popular phpBB website has their docs folder in tact. If I were out to hack them that be the avenue I'd go after. Perhaps the KB article should have some verbiage there that says that the docs folder should be removed after updating.

User avatar
AmigoJack
Registered User
Posts: 5588
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Should /docs folder be deleted during install or update?

Post by AmigoJack » Wed May 08, 2019 7:03 am

  1. Should? No. Could? Yes. And I speak for being available entirely, not just only to one forum.
  2. Keep in mind that a ZIP file could also be extracted on the server, so "not uploading" is not the appropriate advice. A better advice would be to delete them once going live. phpBB killed showing its version in the footer for security reasons - it's just inconsistent to not even try it with other files, too.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66338
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Should /docs folder be deleted during install or update?

Post by Lumpy Burgertushie » Wed May 08, 2019 5:44 pm

they removed the version number from the footer because certain versions of phpbb2 had a lot of vulnerabilities.
hackers were able to simply do a google search for the text of the version number in the footer and be able to find the boards that were still vulnerable.

as far as I know, since phpbb3 there have been no vulnerabilities that knowing a version number would help.

the docs folder has been left in most of the boards around the world for ever. if there was a way to hack into phpbb by viewing that file I would imagine someone would have figured it out by now.

it really does not help the phpbb board owners to see these kinds of discussions about things that are really not anything for them to worry about.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
P_I
Registered User
Posts: 924
Joined: Tue Mar 01, 2011 8:35 pm
Location: Calgary
Contact:

Re: Should /docs folder be deleted during install or update?

Post by P_I » Wed May 08, 2019 6:20 pm

Lumpy Burgertushie wrote:
Wed May 08, 2019 5:44 pm
it really does not help the phpbb board owners to see these kinds of discussions about things that are really not anything for them to worry about.
Sorry but I respectfully disagree. Let me explain why.
Lumpy Burgertushie wrote:
Wed May 08, 2019 5:44 pm
the docs folder has been left in most of the boards around the world for ever. if there was a way to hack into phpbb by viewing that file I would imagine someone would have figured it out by now.
From a security point of view, phpBB 3.2.6 Release - Please Update specifically states that previous versions of phpBB had security vulnerabilities that were addressed. Whether or not they could be exploited is another issue outside of this discussion. That's why security researchers typically contact the software developers about potential vulnerabilities before the information is publicly made available.

It is also pretty well known that site admins don't always update their phpBB versions as soon as new release comes out. So there will be plenty of phpBB sites running versions that contain these known security vulnerabilities. But how does one find which ones?

The point of my asking the question about the /docs folder is it contains know filenames (CHANGELOG.html), that if present, would allow someone to determine what phpBB version was operating on the site. This information, together with the above knowledge of security vulnerabilities in for example, phpBB 3.2.5, could be of concern with site admins working to ensure ALL precautions are taken to protect their site.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

User avatar
P_I
Registered User
Posts: 924
Joined: Tue Mar 01, 2011 8:35 pm
Location: Calgary
Contact:

Re: Should /docs folder be deleted during install or update?

Post by P_I » Wed May 08, 2019 6:26 pm

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

User avatar
canonknipser
Registered User
Posts: 1995
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Should /docs folder be deleted during install or update?

Post by canonknipser » Thu May 09, 2019 6:08 am

As mentioned earlier in this discussion, it is not only the docs folder giving informations about the current phpBB version, but also the style.cfg.So, for security reason, this file, which is present for every style, needs to be protected (eg. via .htaccess) as it can't be removed. There may be other files as well which have sensitive information about the current phpBB version and are accessible via direct browsing.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
John connor
Registered User
Posts: 2118
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Should /docs folder be deleted during install or update?

Post by John connor » Thu May 09, 2019 11:08 am

Here are the files I found that mention the current version of phpBB one might be using. I used the program Fileseek to find them.

Code: Select all

\posting.php
\viewforum.php
\viewtopic.php
\cache\production\data_global.php
\docs\CHANGELOG.html
\includes\constants.php
\includes\functions_display.php
\includes\mcp\mcp_reports.php
\includes\ucp\ucp_pm_viewmessage.php
\phpbb\db\migration\data\v32x\v325.php
\phpbb\db\migration\data\v32x\v325rc1.php
\styles\prosilver\style.cfg
Perhaps if any of those files are accessible, someone could create an extension to prevent someone from looking at them rather then messing around with a bunch of htaccess files. Though, I'm thinking an extension can be bypassed.

Post Reply

Return to “phpBB Discussion”