Horizon
Hello,
just dropping a quick feature suggestion:
Is it possible to add a new feature for Abyss hosts in the Scripting Parameters section named 'Script-Forbidden Paths' or 'Denied Script Paths' to Abyss?
The way it would work is that it will have priority over Script Paths and if any file inside a Denied Script Path is accessed by a remote client, then it will ensure that no scripting interpreter is ever triggered for it.
Thus even if a remote client uploads a rogue PHP script or an uncommon .asp file to a vulnerable CMS, then it will fail to load with HTTP 403 error when the attacker will try to browse it.
This would act as a firewall to prevent any possibility of a script file in blacklisted/denied paths from activating PHP & even ASP.NET applications.
In the ASP.NET section, there should also be the same feature added when we want to add a new ASP.NET application, where we will be able to choose the ASP.NET version and also add Denied Script Paths, to prevent certain paths from triggering the ASP.NET engine.
So if there was a rogue .asp file accidentally uploaded to a CMS by an attacker, they would be unable to access it and a 403 HTTP error would be returned instead.
We might go even further by also adding this feature to XSSI Parameters so that we can deny user upload folders from triggering any XSSI (so it will just return the .shtml/.shtm files without any XSSI processing), if the files were in some specific Denied Paths.
I hope that this will be added in the next release of Abyss Web Server!
-Thanks
admin
Horizon,
Your suggestion is spot on. It's been on our todo list in some alternative form.
It won't make it in the next minor release which is due in a few days.
But it will be part of the additions that will be features in version 2.18.