File Cache vs Wincache, APCU, Memcahed

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
Steven Terblanche
Registered User
Posts: 6
Joined: Mon Jan 18, 2021 10:50 am

File Cache vs Wincache, APCU, Memcahed

Post by Steven Terblanche »

What version of phpBB are you using? phpBB 3.3.1
What is your board's URL? Will supply on request.
Who do you host your board with? Hosted by Organization NOT hosting companies.
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Fresh Install
Is registration required to reproduce this issue? No
Do you have any MODs installed? No
Do you have any extensions installed? No
What styles do you currently have installed? Absolution
What language(s) is your board currently using? English
Which database type/version are you using? MS SQL Server
What is your level of experience? Fairly competent in phpBB but expert in PHP

CHALLENGE
  • Due to a directive from the Organization's IT Security team, writing files to and creating folders in the /cache folder (or any other folder) is prohibited.
  • Writing an extended class for phpBB to solve the challenge would be counter productive and time consuming.
PLATFORM
  • phpBB 3.3.1
  • Windows Server 2012 R2
  • IIS 8.5
  • PHP 7.3.8
SETUP & CONFIGURATION
  • Appropriate PHP extentions (.dll) in IIS for the ACM types listed below was installed. (Links available on request)
  • All the caching systems installed does show up in php_info. (Available on request)
  • Tested each caching system with native PHP code. (Available on request)
  • All tests passed, concluding that the caching system selected is installed and functioning.
  • Configured (config.php) and tested with each of the following ACM Types:

Code: Select all

$acm_type = 'apcu';
$acm_type = 'wincache';
$acm_type = 'phpbb\\cache\\driver\\memcached';
TESTING
  • Isolated phpBB that I am the only user
  • Update the config.php to reflect the chosen caching system (above)
  • Delete the production folder
  • Visit the forum
RESULT
  • The Production folder and TWIG files are created in the cache folder. (Screenshot available on request)
RESEARCH
  • I have Googled extensively and can not seem to find an answer on how to stop files writing to the Cache folder.
QUESTION
  • Is it possible to stop phpBB from writing to the cache folder and still function?

Any help or suggestions would be highly appreciated.

PS: If anyone has experience with successfully setting up phpBB in a secure environment (as described above), especially being able to pass a BURP (https://portswigger.net/burp) test, I would appreciate your input.

Regards,

Steven Terblanche
Last edited by Mick on Fri Jan 22, 2021 9:19 am, edited 5 times in total.
Reason: Solved
User avatar
david63
Registered User
Posts: 19030
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: Security Issue - File Cache vs Wincache, APCU, Memcahed

Post by david63 »

Steven Terblanche wrote:
Mon Jan 18, 2021 11:03 am
Who do you host your board with? Self Hosted
Steven Terblanche wrote:
Mon Jan 18, 2021 11:03 am
Due to security considerations imposed on me
Those two statements would appear to be contradictory - if you are hosting the board yourself then any restrictions are self imposed.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
Steven Terblanche
Registered User
Posts: 6
Joined: Mon Jan 18, 2021 10:50 am

Re: Security Issue - File Cache vs Wincache, APCU, Memcahed

Post by Steven Terblanche »

Hi David

You are correct, I should have been more clear.

With "self hosted" I meant that the forum is NOT hosted by hosting companies, but by the organization itself. I only consult.

Steven
User avatar
JoshyPHP
Code Contributor
Posts: 1209
Joined: Mon Jul 11, 2011 12:28 am

Re: Security Issue - File Cache vs Wincache, APCU, Memcahed

Post by JoshyPHP »

Template files are always written to the cache folder, as well as any self-generated code. That means the twig directories, the s9e_renderer_*.php file, the url_*.php files and possibly others.

Generated code has to be persisted to the disk, there's no way around that.
I wrote the thing that does BBCodes in 3.2+.
Steven Terblanche
Registered User
Posts: 6
Joined: Mon Jan 18, 2021 10:50 am

Re: Security Issue - File Cache vs Wincache, APCU, Memcahed

Post by Steven Terblanche »

Hi JoshyPHP

Thank you for the clarification, it is highly appreciated.

Am I therefore correct in assuming that using ACM Type "file", all cache files would be written to the cache/production folder? Should this be the case, the concern is that "random" files and directories are created, and these files should be executable because of the rendered .php.* files.

I apologize for not researching, but is there a way to move the cache folder to a non-public accessible location? What IIS rights should said folder have?

Thank you for your willingness to assist.

Regards,

Steven
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 27158
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: File Cache vs Wincache, APCU, Memcahed

Post by Paul »

Writing to the cache directory is not a security issue, and as such I have removed that from your topic title.
In all cases phpBB has a requirement that it has a directory that is writeable, and if you don't have that ability you won't be able to use phpBB.
Steven Terblanche
Registered User
Posts: 6
Joined: Mon Jan 18, 2021 10:50 am

Re: File Cache vs Wincache, APCU, Memcahed

Post by Steven Terblanche »

Hi Paul,

Thank you for your response and correcting the topic title, I appreciate it.

With regards to the cache folder.
I do understand that it is needed and that it is "cast in stone"

Is there a way of moving the cache directory out of the IIS wwwroot folder, to a folder not accessible to the public - i.e only assign IIS rights to access the folder on a read-only basis?

Regards,

Steven
User avatar
JoshyPHP
Code Contributor
Posts: 1209
Joined: Mon Jul 11, 2011 12:28 am

Re: Security Issue - File Cache vs Wincache, APCU, Memcahed

Post by JoshyPHP »

Steven Terblanche wrote:
Mon Jan 18, 2021 1:29 pm
is there a way to move the cache folder to a non-public accessible location? What IIS rights should said folder have?
Looking at the configuration files in config/, there's a parameter called core.cache_dir that determines where the dir is located. I suppose you can create a custom environment and define your own but that's something you'll have to check for yourself. AFAIK, the rest is basic server management that the IT team should be able to set; The cache dir doesn't have to be publicly readable or writable, it only has to be accessible by the PHP process but I don't know about Windows file permissions. I'd be surprised if it was different from Linux.
I wrote the thing that does BBCodes in 3.2+.
User avatar
Brf
Support Team Member
Support Team Member
Posts: 52298
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: File Cache vs Wincache, APCU, Memcahed

Post by Brf »

PhpBB uses a web.config file for IIS that operates like the .htaccess file in apache. It blocks http access to the cache folders and other sensitive files.
User avatar
Lumpy Burgertushie
Registered User
Posts: 68549
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: File Cache vs Wincache, APCU, Memcahed

Post by Lumpy Burgertushie »

also, the cache folder is not available to the public anyway. try accessing it in your browser.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
User avatar
Brf
Support Team Member
Support Team Member
Posts: 52298
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: File Cache vs Wincache, APCU, Memcahed

Post by Brf »

Lumpy Burgertushie wrote:
Mon Jan 18, 2021 6:57 pm
the cache folder is not available
Yes. I just explained why.
Steven Terblanche
Registered User
Posts: 6
Joined: Mon Jan 18, 2021 10:50 am

RESOLVED: File Cache vs Wincache, APCU, Memcahed

Post by Steven Terblanche »

I would like to thank you all for your prompt and insightful assistance. I have managed to setup, secure and test, and the cache folders is secure and only accessible to the PHP process.

To conclude, to secure the cache and other specific folders, the following needs to be added to web.config in IIS:

Code: Select all

		<security>
			<requestFiltering>
				<hiddenSegments>
					<add segment="cache" />
					<add segment="files" />
					<add segment="includes" />
					<add segment="phpbb" />
					<add segment="store" />
					<add segment="vendor" />
					<add segment="config.php" />
					<add segment="common.php" />
				</hiddenSegments>
			</requestFiltering>
		</security>
Once again, thank you all!

Steven Terblanche
Post Reply

Return to “[3.3.x] Support Forum”

cron