Composer installed.json publicly accessible
Description
The installed.json file generated by Composer, a PHP dependency management tool, is publicly accessible on the web server. This file contains a complete inventory of all installed packages, including their exact versions, installation paths, and dependency relationships. Composer creates this file in the vendor/composer/ directory for internal package management purposes, but it should never be exposed to public access. When accessible via HTTP requests, it reveals detailed information about the application's software components and their versions.
Remediation
Prevent public access to the Composer vendor directory and its contents using one of the following methods:
1. Web Server Configuration (Recommended)
For Apache, add to your .htaccess or virtual host configuration:
<DirectoryMatch "^/.*/vendor/">
Require all denied
</DirectoryMatch>For Nginx, add to your server block:location ~ /vendor/ {
deny all;
return 404;
}2. Document Root PlacementPlace the vendor directory outside the web server's document root entirely. Only the public-facing files (index.php, assets) should reside in the document root, with Composer dependencies located in a parent directory.
3. Verification
After implementing restrictions, verify that /vendor/composer/installed.json returns a 403 Forbidden or 404 Not Found error when accessed via browser.