qdPM Information Disclosure
Description
The qdPM web application exposes sensitive configuration files to unauthenticated users due to improper web server configuration. These configuration files, typically located in predictable paths such as /core/config/ or /backups/, contain database credentials and other sensitive system information that should be restricted from public access.
Remediation
Implement the following measures to restrict access to sensitive configuration files:
1. Configure the web server to deny access to configuration directories. For Apache, add the following to your .htaccess file or virtual host configuration:
<DirectoryMatch "/(core/config|backups|uploads/users|uploads/attachments)">
Require all denied
</DirectoryMatch>For Nginx, add to your server block:
location ~* /(core/config|backups|uploads/users|uploads/attachments) {
deny all;
return 403;
}2. Move configuration files outside the web root directory whenever possible
3. Ensure configuration files have restrictive file permissions (e.g., 640 or 600)
4. Remove any backup files or archives from web-accessible directories
5. Verify the configuration by attempting to access sensitive files from an unauthenticated session