Further security steps understanding VENDOR directory

[zitu4life]

Hello there

There is one Further security steps that I do not understand well.... 

https://docs.whmcs.com/Further_Security_Steps#Vendor_Directory

Vendor Directory

WHMCS is distributed with a vendor directory ("/vendor"). This is a common directory for advanced scripts and applications, such as WHMCS, and is comprised of various common libraries. However, web servers should not serve file requests directly from this path. Only the controlling script or application should load these libraries in order to ensure appropriate context and prevent unexpected behavior.

Apache is the recommended web server software platform on which to run WHMCS. If you are using Apache, the .htaccess distributed by WHMCS in the /vendor directory should suffice. If you are running Apache and files remain accessible, then you will want to investigate if your Apache configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.

While other web server technologies are not officially supported, we understand that some users do wish to run WHMCS in environments other than Apache. For those that do, you must ensure that files within the /vendor directory are not served based on your web server configuration.

If you are using NGINX as your web server, we have put together a general guideline to assist you and your system administrator here: Nginx Directory Access Restriction

---------------------------------------------------------------------------------

My question is do I need to upload my existing used on admin folder .htaccess file to vendor directory too ? PS: I am not a developer of modules or neither using any others development API system, but if I just upload my .htaccess to there keep me safe, good, will do that even if do not understanding how it helps. My restriction by IP block admin access to all IP outside my country, and there is no available VPN out-there giving you access to my public country IP.

 

[zomex]

Hello,

In most cases you should not need to make any changes. Only using certain servers/configurations will require you to make changes.

Whatever you do, don't replace or edit the .htaccess file found in whmcs_path/vendor/.htaccess

This file will block access to any directory or file within /vendor/

The .htaccess should contain:

Deny from all

Don't replace it with any file or edit the file as it would make your installation insecure.

To test whether your /vendor/ directory is secure as per WHMCS's default setup you should try and visit a directory and file using your browser e.g:

https://yourdomain.com/whmcs-path/vendor/

https://yourdomain.com/whmcs-path/vendor/whmcs/whmcs-foundation/lib/Addon.php

You should see a 403 forbidden error when visiting the above URLs (replaced with your domain/WHMCS path).  If you don't I would recommend submitting a ticket to WHMCS.

[zitu4life]

Many thanks @zomex it now get clear😊

I did not changed it, and I got that message.

So now I understand all Further security steps, and also have off them implemented.👍

 

[zomex]

1 hour ago, zitu4life said:

Many thanks @zomex it now get clear😊

I did not changed it, and I got that message.

So now I understand all Further security steps, and also have off them implemented.👍

 

Happy to help.

But I would double check your URL, the 404 error is not what would be expected. If in doubt it would be best to submit a ticket to WHMCS and have them verify that your vendor access is correctly restricted.

[zitu4life]

My mistake. I used wrong whmcs-pach, that why print was not like expecting. here are right message received.

Many thanks!!!