Security Issue with Lamp-Poc project (logs and config are public)


If you use PHP on glitch you may know about the lamp-poc project, a proof of concept of the apache httpd webserver. The issue is the server configuration files are public on the internet.

I understand that glitch doesn’t focus on PHP or apache, but I would love if this was patched!


Also the fact that it runs an older version of PHP is also a security issue.

PHP7.0.3 was EOL quite a while back. I did email glitch and tasha said she would bring it up with the team in charge.

Quite some security risks here.

This seem like it is serving files. Is it only this folder?

from what you said I’m sure they gonna slap on a fix

Logs are also public.

Try the php.ini file.

Yep, you can see that too.

1 Like

You can access any file on the project.

I suppose the php.ini file is an easy fix, just add a rule to your .htaccess.

1 Like

I mean, just like in expres where you can make a static site, this is acting like a static site. All of the files are public.

True, but you don’t want the log files public.

1 Like

Have you mailed Glitch?


I have written up a bug report about this. When I get a response from the team assigned to investigate, I will post an update here.