Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Bahast7's avatar

Does laravel have Directory Traversal issues ?

Hello, first of all, thanks to everyone to reply to me :)

I have this question does laravel have a directory traversal issue?

if it is yes how can I prevent it?

0 likes
18 replies
Sinnbeck's avatar

What do you mean? Do you have an issue?

Or are you referring to the nginx exploit? If so, then only if you misconfigured your nginx service

Laravel is of course only as safe as you make it. Follow the documentation or post code examples here if in doubt

Bahast7's avatar

@Sinnbeck I let a security checker to check my laravel website and it tells me that I have Directory traversal issue

Sinnbeck's avatar

@Bahast7 well that's good. That is a basic directory traversal exploit.. Do you have an information at all? What url perhaps?

MohamedTammam's avatar

@Bahast7 Laravel has an index.php which you should configure your system to go to. That's how you prevent the traversal issue.

What other information the security checker gave you?

Sinnbeck's avatar

@Bahast7 so you set the web root to be the root of the project instead of the public folder?

Bahast7's avatar

@Sinnbeck public folder is my root folder i set a .htaccess file that redirects to public folder

Sinnbeck's avatar

@Bahast7 if at all possible, you should point it to the public folder. If not you need to configure your htaccess file to make absolutely sure that the user cannot access anything but public folder stuff

Bahast7's avatar

@Sinnbeck this is the .htaccess in my root directory

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/public/
RewriteRule ^(.*)$ /public/ [L,QSA]

and this is the .htaccess file in my pubic foulder

RewriteEngine On

# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]

# Send Requests To Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
Sinnbeck's avatar

@Bahast7 thanks I haven't used apache in years so I will let someone who use apache answer :)

Tray2's avatar

@Bahast7 I use this in my htaccess file

RewriteEngine On 

#Rewrite everything to https
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

#Rewrite everything to subfolder 
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/public
Rewriterule ^(.*)$ public/ [L]
Snapey's avatar

You are demonstrating the problems with ignoring the installation advice and then hacking the framework to make it work.

Your web server has a 'document root' which is the folder that is served as the '/' entry point. Everything hosted above that should be inaccessible.

So, you need to change the document root for your server to be the laravel public folder and then use the standard .htaccess file and the standard index.php

how you best achieve this depends on your host.

martinbean's avatar

@bahast7 You’ve misconfigured your web server. And now you’re acting surprised there’s an issue.

Configure your web root properly. Laravel has a public directory for a reason. That’s the directory that you should be setting as the root for your virtual host; not the project’s root directory.

# Ensure that Apache listens on port 80
Listen 80

<VirtualHost *:80>
    DocumentRoot "/var/www/path/to/public"
    ServerName www.example.com

    # Other directives here
</VirtualHost>
1 like
sr57's avatar

Why have you an .htaccess in your root directory.?

  1. suppress this file and put an empty index.html file in it.

  2. make your apache (virtualhost) server to go to your public folder. (DocumentRoot)

  3. keep the standard .htaccess in the public folder.

Does laravel have Directory Traversal issues ?

NO

All misconfigured fromeworks/sites have Directory Traversal issues

Please or to participate in this conversation.