Security Alerts

Here are the security alerts that have been issued for the Gavintech Framework so far:

Security alert 001 (Priority: low)

There is a trivial way to access raw PHP pages without the framework safety wrapper. Simply go to frameworkroot/pages/page.php to view the page without the framework wrapper. Even though individual pages should be written with this in mind, it is highly recommended to restrict access to the pages/, framework/, overrides/, daemons/ and validators/ subdirectories with .htaccess files, or by modifying the apache configuration.

Note that this flaw does not affect pages that require a login, that include any files in the includes folder, or that call any functions defined in the includes folder. This should be most pages. The pages that may be affected should not pose a security threat, as all important pages should be authenticated.

Use the following code to restrict access to a folder:

    <Directory "(framework_dir)/pages">
        Order deny,allow
        Deny from all
    </Directory>
    <Directory "(framework_dir)/framework">
        Order deny,allow
        Deny from all
    </Directory>
    <Directory "(framework_dir)/overrides">
        Order deny,allow
        Deny from all
    </Directory>
    <Directory "(framework_dir)/daemons">
        Order deny,allow
        Deny from all
    </Directory>
    <Directory "(framework_dir)/validators">
        Order deny,allow
        Deny from all
    </Directory>
Gavintech