The old "Core folder is accessible by Web" issue that won't go away this time!

tm2000 · August 5, 2020, 9:42am

I have read many other posts about this, but the problem won’t go away on this site!

I have several sites, all of which are configured more or less the same way, on the same server.
ONE of them has the dreaded message on the dashboard:
Core folder is accessible by web

I know I could move the Core folder outside of the site directory, but I just want to understand why it’s happening first. All my other sites check out fine. I have used the SAME .htaccess file in the root and core folder on all of the sites.
The .htaccess in the core folder says this:

IndexIgnore / <Files *> Order Deny,Allow Deny from all

Permissions on the Core folder are 775

I think it’s something to do with the cache - because if I clear the cache, and visit the dashboard, the message disappears, but if I refresh the dashboard, the message returns!

One strange thing I noticed - If I try to visit: site.com/core/docs/changelog.txt in a browser - it diverts me to the home page rather than my 404 page - but all my other sites send me to my 404 page.

The unauthorised page setting is set to a published page in my resource tree.

I know I can move the core folder outside of the public directory, but It’s just annoying me that i can’t work out why it’s happening on this site only!

Any ideas?

Thanks!
Andy

markh · August 5, 2020, 2:35pm

Any chance the .htaccess in the root has a conflicting rule that’s causing that redirect?

The core check probably looks for a 404/401 response code, which a redirect does not satisfy, although I may be misremembering the exact condition it triggers on.

tm2000 · August 5, 2020, 3:26pm

Hi Mark,

Thanks for this.
To eliminate issues with the .htaccess file I grabbed one from a site that is behaving normally, but the error is still there, so i don’t think it has anything to do with that.

paulp · August 6, 2020, 7:34am

I have the below in my core .htaccess, can you try this:

# deny access to _all_ files in the core, including changelog.txt and error.log
# original borrowed from owncloud

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
    Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
    deny from all
    Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
IndexIgnore *

tm2000 · August 6, 2020, 10:05am

Thanks Paul - yes that’s what I have already!