Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Delete subfolder in /tmp/assets and directory listing of some folders

  • Thomas_T
  • Thomas_T's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
3 years 1 month ago #211940 by Thomas_T
Hi everyone.

I have a question about some folders on my installed Limesurvey server.
I'm running Limesurvey 3.25.4 on Ubuntu 18.04.5.

Our Security Scanner found some folders and settings on my Limesurvey installation and declared them as a security risk.

On my Server there are several subfolder in the folder /tmp/assets with random names like 117445e0 or 49b271bf or db6085.
Can i delete these subfolder? Or will it crash my installation of Limesurvey?

The second question is about "directory listing" on some folders. Can i disable it globally in my webserver configuration or will this lead into an unstable state of my installation.
Folders for example: /test or /docs or /upload

Thanks in advance
Thomas
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
3 years 1 month ago #211949 by holch
These assets are not "dangerous", they are created by Limesurvey to not always have to draw from the database, etc. If you delete them, Limesurvey will create them again. so this would be without end. ;-)

I'd say this is a false postive.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
3 years 1 month ago #211965 by DenisChenu
> Our Security Scanner found some folders and settings on my Limesurvey installation and declared them as a security risk.

Lol

> The second question is about "directory listing" on some folders.

You can remove directoty listing in ALL folders.

If you use apache : we include htaccess with restriction
If you use nginx : see manual


manual.limesurvey.org/Installation_security_hints

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • Thomas_T
  • Thomas_T's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
3 years 1 month ago #212017 by Thomas_T
Hi.

Thanks for you quick responses. I disabled "directory listing" globally and wait for the next scan.
I think the security risk was made by my own :(

Thomas
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose