Files with 0000 permissions accessible through web server #235

New Issue

MrUnknownDE · 2026-04-05T20:26:06+02:00

MrUnknownDE commented

2026-04-05 20:26:06 +02:00

Originally created by @VisolixTechnologies on 5/29/2024

CloudPanel version(s) affected

2.4.1

Description

I am facing an issue where files with permissions set to 0000 are still accessible through the web server. This behavior seems to be a potential security vulnerability, as files with no permissions should not be accessible to anyone.

How to reproduce

Upload a file (e.g., bb.png) to the web server
Set the file permissions to 0000 using chmod 0000 bb.png
Access the file through the web server URL (e.g., https://demo.com/bb.png)
The file should not be accessible, but it is still being served by the web server

Expected Behavior
Files with permissions set to 0000 should be completely inaccessible, even through the web server.
Actual Behavior
The files are still accessible and can be viewed/downloaded through the web server URL.

Environment

Operating System: Ubuntu [22.04]

Additional Information
I have tried various troubleshooting steps, such as:

Checking the web server user/group permissions
Reviewing the web server configuration files
Disabling any caching mechanisms

However, none of these steps have resolved the issue. I suspect this might be a bug or configuration issue within CloudPanel or the web server setup provided by CloudPanel.
Please investigate and provide a solution to ensure that files with 0000 permissions are not accessible through the web server, as this is a critical security concern.
Thank you for your attention to this issue.

Possible Solution

No response

Additional Context

No response

*Originally created by @VisolixTechnologies on 5/29/2024* ### CloudPanel version(s) affected 2.4.1 ### Description I am facing an issue where files with permissions set to 0000 are still accessible through the web server. This behavior seems to be a potential security vulnerability, as files with no permissions should not be accessible to anyone. ### How to reproduce 1. Upload a file (e.g., bb.png) to the web server 2. Set the file permissions to 0000 using chmod 0000 bb.png 3. Access the file through the web server URL (e.g., https://demo.com/bb.png) 4. The file should not be accessible, but it is still being served by the web server **Expected Behavior** Files with permissions set to 0000 should be completely inaccessible, even through the web server. **Actual Behavior** The files are still accessible and can be viewed/downloaded through the web server URL. **Environment** - Operating System: Ubuntu [22.04] **Additional Information** I have tried various troubleshooting steps, such as: - Checking the web server user/group permissions - Reviewing the web server configuration files - Disabling any caching mechanisms However, none of these steps have resolved the issue. I suspect this might be a bug or configuration issue within CloudPanel or the web server setup provided by CloudPanel. Please investigate and provide a solution to ensure that files with 0000 permissions are not accessible through the web server, as this is a critical security concern. Thank you for your attention to this issue. ### Possible Solution _No response_ ### Additional Context _No response_

MrUnknownDE closed this issue

2026-04-05 20:26:06 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/cloudpanel-ce#235