3

I have 3 different laravel projects inside public_html (that is, one level below) on a shared hosting.

I changed each domain/subdomain document root path to point to the respective project/public folder (i.e. public_html/project1/public)

Additionally I put the Options -Indexes statement in my .htaccess files so people can't browse directly into my project files, and denied all access to .env files.

Is there still a vulnerability doing this?

Jk33
  • 855
  • 3
  • 12
  • 28
  • 1
    Yes, it's potentially very unsafe. Worst case scenario, you might do things like accidentally expose your database credentials. – Joel Hinz Jan 20 '18 at 23:08

2 Answers2

3

I assume that when you mention public_html, that you are using a cpanel like shared hosting solution. In these scenarios, the apache hosting configuration and access to respective folders is managed by the hosting provider. That means you have limited access to restrict access to your code. Typically the hosting provider makes all files in public_html public.

So if my assumption on your setup is correct, the answer to your question is: Yes this is unsafe.

You may also want to know: How can someone install laravel safely on a shared hosting server?

You should follow the instructions from laravel-news. This article will show you how to pull out the folders that should be public and update your configuration to point to the sub folders that migrated to a new location.

Hope this helps.

Dom DaFonte
  • 1,619
  • 14
  • 31
  • Your assumption is correct. Following that secure approach in your link, would it be possible to have multiple projects (different domains) on the same account? Each project needs its own files (i.e. the .env file), but there's only one "public_html" folder. – Jk33 Jan 21 '18 at 02:18
  • I meant each project needs its own "public" folder to store css, images, etc (forget about the env file) – Jk33 Jan 21 '18 at 02:26
  • 1
    @user1604542, yes you can. You would need to name your public folders a unique name, you'd have to update the .htaccess for each (usually possible through cpanel). Typically when you add a new domain to your cpanel, it will create the respective public folder for it in public_html. Also check if softalicious has laravel. Some hosting providers offer a laravel solution in softalicous. I personally run blogs on a shared hosting solution, but build my laravel projects on aws and I would recommend using aws for laravel. Look into their free 12 month tier. https://aws.amazon.com/free – Dom DaFonte Jan 21 '18 at 02:28
  • 1
    Awesome, yeah I was actually wondering what would be a better hosting option. Thanks man! – Jk33 Jan 21 '18 at 02:29
  • No problem and welcome to StackOverflow! Be sure to upvote and select this as the answer if it answered your question :). – Dom DaFonte Jan 21 '18 at 02:32
2

You shouldn't ever keep the application source files in a publicly accessible location. That is the entire point of having a public directory in the first place, to restrict what can be accessed.