File Cache vs Wincache, APCU, Memcahed

Steven Terblanche · Post by **Steven Terblanche** » Mon Jan 18, 2021 11:03 am

What version of phpBB are you using? phpBB 3.3.1
What is your board's URL? Will supply on request.
Who do you host your board with? Hosted by Organization NOT hosting companies.
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Fresh Install
Is registration required to reproduce this issue? No
Do you have any MODs installed? No
Do you have any extensions installed? No
What styles do you currently have installed? Absolution
What language(s) is your board currently using? English
Which database type/version are you using? MS SQL Server
What is your level of experience? Fairly competent in phpBB but expert in PHP

CHALLENGE

Due to a directive from the Organization's IT Security team, writing files to and creating folders in the /cache folder (or any other folder) is prohibited.

Writing an extended class for phpBB to solve the challenge would be counter productive and time consuming.

PLATFORM

phpBB 3.3.1

Windows Server 2012 R2

IIS 8.5

PHP 7.3.8

SETUP & CONFIGURATION

Appropriate PHP extentions (.dll) in IIS for the ACM types listed below was installed. (Links available on request)

All the caching systems installed does show up in php_info. (Available on request)

Tested each caching system with native PHP code. (Available on request)

All tests passed, concluding that the caching system selected is installed and functioning.

Configured (config.php) and tested with each of the following ACM Types:

Code: Select all

$acm_type = 'apcu';
$acm_type = 'wincache';
$acm_type = 'phpbb\\cache\\driver\\memcached';

TESTING

Isolated phpBB that I am the only user

Update the config.php to reflect the chosen caching system (above)

Delete the production folder

Visit the forum

RESULT

The Production folder and TWIG files are created in the cache folder. (Screenshot available on request)

RESEARCH

I have Googled extensively and can not seem to find an answer on how to stop files writing to the Cache folder.

QUESTION

Is it possible to stop phpBB from writing to the cache folder and still function?

Any help or suggestions would be highly appreciated.

PS: If anyone has experience with successfully setting up phpBB in a secure environment (as described above), especially being able to pass a BURP (https://portswigger.net/burp) test, I would appreciate your input.

Regards,

Steven Terblanche

david63 · Post by **david63** » Mon Jan 18, 2021 11:36 am

Steven Terblanche wrote: ↑
Mon Jan 18, 2021 11:03 am
Who do you host your board with? Self Hosted

Steven Terblanche wrote: ↑
Mon Jan 18, 2021 11:03 am
Due to security considerations imposed on me

Those two statements would appear to be contradictory - if you are hosting the board yourself then any restrictions are self imposed.

Steven Terblanche · Post by **Steven Terblanche** » Mon Jan 18, 2021 11:42 am

Hi David

You are correct, I should have been more clear.

With "self hosted" I meant that the forum is NOT hosted by hosting companies, but by the organization itself. I only consult.

Steven

JoshyPHP · Post by **JoshyPHP** » Mon Jan 18, 2021 12:02 pm

Template files are always written to the cache folder, as well as any self-generated code. That means the twig directories, the s9e_renderer_*.php file, the url_*.php files and possibly others.

Generated code has to be persisted to the disk, there's no way around that.

Steven Terblanche · Post by **Steven Terblanche** » Mon Jan 18, 2021 1:29 pm

Hi JoshyPHP

Thank you for the clarification, it is highly appreciated.

Am I therefore correct in assuming that using ACM Type "file", all cache files would be written to the cache/production folder? Should this be the case, the concern is that "random" files and directories are created, and these files should be executable because of the rendered .php.* files.

I apologize for not researching, but is there a way to move the cache folder to a non-public accessible location? What IIS rights should said folder have?

Thank you for your willingness to assist.

Regards,

Steven

Post by **Paul** » Mon Jan 18, 2021 2:19 pm

Writing to the cache directory is not a security issue, and as such I have removed that from your topic title.
In all cases phpBB has a requirement that it has a directory that is writeable, and if you don't have that ability you won't be able to use phpBB.

Steven Terblanche · Post by **Steven Terblanche** » Mon Jan 18, 2021 2:40 pm

Hi Paul,

Thank you for your response and correcting the topic title, I appreciate it.

With regards to the cache folder.
I do understand that it is needed and that it is "cast in stone"

Is there a way of moving the cache directory out of the IIS wwwroot folder, to a folder not accessible to the public - i.e only assign IIS rights to access the folder on a read-only basis?

Regards,

Steven

JoshyPHP · Post by **JoshyPHP** » Mon Jan 18, 2021 2:47 pm

Steven Terblanche wrote: ↑
Mon Jan 18, 2021 1:29 pm
is there a way to move the cache folder to a non-public accessible location? What IIS rights should said folder have?

Looking at the configuration files in config/, there's a parameter called core.cache_dir that determines where the dir is located. I suppose you can create a custom environment and define your own but that's something you'll have to check for yourself. AFAIK, the rest is basic server management that the IT team should be able to set; The cache dir doesn't have to be publicly readable or writable, it only has to be accessible by the PHP process but I don't know about Windows file permissions. I'd be surprised if it was different from Linux.

Post by **Brf** » Mon Jan 18, 2021 2:55 pm

PhpBB uses a web.config file for IIS that operates like the .htaccess file in apache. It blocks http access to the cache folders and other sensitive files.

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Mon Jan 18, 2021 6:57 pm

also, the cache folder is not available to the public anyway. try accessing it in your browser.

robert

Post by **Brf** » Mon Jan 18, 2021 7:29 pm

Lumpy Burgertushie wrote: ↑
Mon Jan 18, 2021 6:57 pm
the cache folder is not available

Yes. I just explained why.

Steven Terblanche · Post by **Steven Terblanche** » Thu Jan 21, 2021 12:44 pm

I would like to thank you all for your prompt and insightful assistance. I have managed to setup, secure and test, and the cache folders is secure and only accessible to the PHP process.

To conclude, to secure the cache and other specific folders, the following needs to be added to web.config in IIS:

Code: Select all

		<security>
			<requestFiltering>
				<hiddenSegments>
					<add segment="cache" />
					<add segment="files" />
					<add segment="includes" />
					<add segment="phpbb" />
					<add segment="store" />
					<add segment="vendor" />
					<add segment="config.php" />
					<add segment="common.php" />
				</hiddenSegments>
			</requestFiltering>
		</security>

Once again, thank you all!

Steven Terblanche

advertisements