@anonymous-piwik-user opened this Issue on November 27th 2008


Piwik doesn't prevent listing of some key directories such as core/ or config/. This could help identifying piwik's running version.

Putting empty index.html files in those directories solves the problem.


@matthijskooijman commented on December 2nd 2008

Isn't this something that should be disabled in the webserver config instead? Any production server should have dirlisting disabled by default, though most shared hosters will probably not do this...

@mattab commented on December 2nd 2008 Member

indeed. you can always add a .htaccess with "Deny from all"

@matthijskooijman commented on December 2nd 2008

If you really want to fix this problem, you should also make sure that files and dirs like README, tmp, tests, misc, etc. are removed as well. Even better, any php files that are not meant to be called directly (ie, anything but piwik.php and index.php I guess) should be outside of the document root as well.

Piwik might could make this setup easier by supplying a "htdocs" dir, which contains all files that should be in the document root. This will slightly complicate the default "put everything in the docroot" install approach (in particular, "htdocs" will show up in the url), but most of this should be solved by symlinking just index.php and perhaps piwik.php outside of the document root. The more advanced user can then just symlink only the htdocs directory into the documentroot (which contains index.php, piwik.php/js, robots.txt and the themes' css and js).

Anyway, perhaps this should be a seperate ticket, if anyone cares...

@robocoder commented on February 4th 2010 Contributor

Fixed in [1743].

This Issue was closed on February 5th 2010
Powered by GitHub Issue Mirror