Should /docs folder be deleted during install or update?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2349
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Should /docs folder be deleted during install or update?

Post by P_I »

phpBB packages ship with a /docs folder included that has helpful information for the admin/installer, including a phpBB 3.2.x Changelog.

The update instructions, Knowledge Base - Updating 3.2.x, make no mention of whether or not the /docs folder should be uploaded. In fact, Step 7 states: Via FTP or SSH upload the remaining files and folders (that is, the remaining CONTENTS of the phpBB3 folder) to the root folder of your board installation on the server, overwriting the existing files. (Note: take care not to delete any extensions in your /ext folder when uploading the new phpBB3 contents.)

I note that docs returns "You don't have permission to access /community/docs/ on this server." so it appears the folder exists here but something in the server configuration is blocking access, although if you know the structure of the /docs folder, you can see the files exist and can be loaded, as in the example of the phpBB 3.2.x Changelog above.

A two part question,
  1. Should the /docs folder be accessible on a forum?
  2. If not, should the Updating 3.2.x instructions be changed so instruct the admin NOT to upload the /docs folder
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26503
Joined: Fri Aug 29, 2008 9:49 am

Re: Should /docs folder be deleted during install or update?

Post by Mick »

They’re for reference and don’t take up much room why would you want to delete them?
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2349
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Should /docs folder be deleted during install or update?

Post by P_I »

The first thought was they serve no purpose to the end-user (members and guests) and are really only useful to an admin, so why put them up on the server. Based on checking a number of other phpBB sites, it seems hit and miss whether admins have uploaded this folder, so I thought I'd seek out 'best practices' here by asking the question.

There is also a security angle. I was discussing with a co-admin and the fact that the Changelog provides an easy method to detect the phpBB version was somewhat of a concern for security reasons. Particularly since phpBB 3.2.5 is now known to have open security issues which were disclosed in the phpBB 3.2.6 announcement. BTW, I know there are other methods to view phpBB source files that can yield the phpBB version, so this won't completely solve the issue.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Should /docs folder be deleted during install or update?

Post by david63 »

P_I wrote: Tue May 07, 2019 1:02 pm I was discussing with a co-admin and the fact that the Changelog provides an easy method to detect the phpBB version was somewhat of a concern for security reasons
And just how is anybody going to access that file on the server? If they can then I would have far greater concerns about the server security than knowing which version of phpBB I was using.

Just for the record I either delete them or don't upload them - and that goes for any software package.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2349
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Should /docs folder be deleted during install or update?

Post by P_I »

david63 wrote: Tue May 07, 2019 2:29 pm And just how is anybody going to access that file on the server?
docs/CHANGELOG.html reveals this forum is running on phpBB 3.2.7. Another example, http://area51.phpbb.com/phpBB/docs/CHANGELOG.html confuses the version issue, but demonstrates that although the /docs directory listing isn't available, knowing the file names that could exist in the directory allows one to access files in that directory.
david63 wrote: Tue May 07, 2019 2:29 pm Just for the record I either delete them or don't upload them - and that goes for any software package.
I'm inclined to agree as I don't see any end-user need for having the /docs folder on the server. Which leads back to my original question(s) since following the official (knowledge base) instructions is the best approach to successful updating and operating a phpBB forum.
P_I wrote: Tue May 07, 2019 12:36 pm A two part question,
  1. Should the /docs folder be accessible on a forum?
  2. If not, should the Updating 3.2.x instructions be changed so instruct the admin NOT to upload the /docs folder
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
WelshPaul
Registered User
Posts: 420
Joined: Tue Aug 19, 2014 2:09 pm

Re: Should /docs folder be deleted during install or update?

Post by WelshPaul »

Just don't upload the docs directory - That's how i've been doing it since 2006.
User avatar
3Di
I've Been Banned!
Posts: 17538
Joined: Mon Apr 04, 2005 11:09 pm
Location: I'm with Ukraine 🇺🇦
Name: Marco
Contact:

Re: Should /docs folder be deleted during install or update?

Post by 3Di »

The phpBB version can easily be spoofed by the style.cfg file of a template.
And you can't hide such file. ;)
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Buy me a coffee -> Image
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Lady_G
Registered User
Posts: 272
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: Should /docs folder be deleted during install or update?

Post by Lady_G »

I always delete my /docs folder.

Those files are part of the install package and have no functional purpose after the installation has completed. I think it is good programming practice to remove non-functioning code - which includes documentation.
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: Should /docs folder be deleted during install or update?

Post by 2600 »

I was wondering this myself, and as a slight security issue it would be prudent to just remove them.

Edit-

And wow! I see a popular phpBB website has their docs folder in tact. If I were out to hack them that be the avenue I'd go after. Perhaps the KB article should have some verbiage there that says that the docs folder should be removed after updating.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Should /docs folder be deleted during install or update?

Post by AmigoJack »

  1. Should? No. Could? Yes. And I speak for being available entirely, not just only to one forum.
  2. Keep in mind that a ZIP file could also be extracted on the server, so "not uploading" is not the appropriate advice. A better advice would be to delete them once going live. phpBB killed showing its version in the footer for security reasons - it's just inconsistent to not even try it with other files, too.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Should /docs folder be deleted during install or update?

Post by Lumpy Burgertushie »

they removed the version number from the footer because certain versions of phpbb2 had a lot of vulnerabilities.
hackers were able to simply do a google search for the text of the version number in the footer and be able to find the boards that were still vulnerable.

as far as I know, since phpbb3 there have been no vulnerabilities that knowing a version number would help.

the docs folder has been left in most of the boards around the world for ever. if there was a way to hack into phpbb by viewing that file I would imagine someone would have figured it out by now.

it really does not help the phpbb board owners to see these kinds of discussions about things that are really not anything for them to worry about.


robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2349
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Should /docs folder be deleted during install or update?

Post by P_I »

Lumpy Burgertushie wrote: Wed May 08, 2019 5:44 pm it really does not help the phpbb board owners to see these kinds of discussions about things that are really not anything for them to worry about.
Sorry but I respectfully disagree. Let me explain why.
Lumpy Burgertushie wrote: Wed May 08, 2019 5:44 pm the docs folder has been left in most of the boards around the world for ever. if there was a way to hack into phpbb by viewing that file I would imagine someone would have figured it out by now.
From a security point of view, phpBB 3.2.6 Release - Please Update specifically states that previous versions of phpBB had security vulnerabilities that were addressed. Whether or not they could be exploited is another issue outside of this discussion. That's why security researchers typically contact the software developers about potential vulnerabilities before the information is publicly made available.

It is also pretty well known that site admins don't always update their phpBB versions as soon as new release comes out. So there will be plenty of phpBB sites running versions that contain these known security vulnerabilities. But how does one find which ones?

The point of my asking the question about the /docs folder is it contains know filenames (CHANGELOG.html), that if present, would allow someone to determine what phpBB version was operating on the site. This information, together with the above knowledge of security vulnerabilities in for example, phpBB 3.2.5, could be of concern with site admins working to ensure ALL precautions are taken to protect their site.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2349
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: Should /docs folder be deleted during install or update?

Post by P_I »

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Should /docs folder be deleted during install or update?

Post by canonknipser »

As mentioned earlier in this discussion, it is not only the docs folder giving informations about the current phpBB version, but also the style.cfg.So, for security reason, this file, which is present for every style, needs to be protected (eg. via .htaccess) as it can't be removed. There may be other files as well which have sensitive information about the current phpBB version and are accessible via direct browsing.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: Should /docs folder be deleted during install or update?

Post by 2600 »

Here are the files I found that mention the current version of phpBB one might be using. I used the program Fileseek to find them.

Code: Select all

\posting.php
\viewforum.php
\viewtopic.php
\cache\production\data_global.php
\docs\CHANGELOG.html
\includes\constants.php
\includes\functions_display.php
\includes\mcp\mcp_reports.php
\includes\ucp\ucp_pm_viewmessage.php
\phpbb\db\migration\data\v32x\v325.php
\phpbb\db\migration\data\v32x\v325rc1.php
\styles\prosilver\style.cfg
Perhaps if any of those files are accessible, someone could create an extension to prevent someone from looking at them rather then messing around with a bunch of htaccess files. Though, I'm thinking an extension can be bypassed.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
Post Reply

Return to “phpBB Discussion”