Security AdvisoryThis is to inform you about a misconfiguration of the Multicraft front end that seems to affect a number of users. The folder "protected" inside your Multicraft front end directory must never be accessible to the public. Having this folder publicly accessible is a security risk that has to be addressed as quickly as possible.
The "protected" folder contains a .htaccess file that will usually tell the webserver to prevent all access to this folder. On some systems this functionality is disabled and the .htaccess file has no effect. For users with this issue the recommendation is to do one of the following changes to their system immediately:
a) Enable the webserver to use the .htaccess file. This is usually done in your main Apache config file or in the config file of your website (apache2/sites-enabled/X) by changing "AllowOverride None" to "AllowOverride All" for your www directory or just adding this statement if it doesn't exist yet. A restart/reload of Apache is required after this.
b) Move the "protected" folder outside of the web accessible directories and change all paths in your index.php and api.php accordingly so the application still runs as usual.
You can check whether this applies to you by visiting your panel and replacing "index.php" with "protected/data/panel/schema.mysql.sql". For example:
If this downloads a file then you must do either a) or b) immediately until you are not prompted to download a file anymore. Checks will be added to the installer of future releases to make sure all installations have this configured correctly.
World MapMulticraft is running over 10'000 servers worldwide. Each of these green/brown dots can represent multiple servers:
Live DemoPlease chose one of the logins here to try our demo: