Effect of exposing your system folder

[eluser]Unknown[/eluser]
How bad is it if a malicious user ever finds out your system folder? I mean if you put an index.html file in the system folder it’s basically inaccessible anymore.

Is there anything I am missing that could make the system folder vulnerable?

Thanks.

[eluser]GSV Sleeper Service[/eluser]
personally I move the system folder out of the webroot.
most system files contain this line

Code:

if (!defined('BASEPATH')) exit('No direct script access allowed');

which stops anyone from directly accessing the file, but in the event of apache serving up php files as plain text (it happened to facebook about a year ago), anyone familiar with the CI layout could easily grab your database login details.

[eluser]simshaun[/eluser]
On Apache, in an .htaccess file, you can turn off directory listings if you are worried about a user being able to see the directory structure.

[eluser]TheFuzzy0ne[/eluser]
I wouldn't have thought it would be that bad, so long as you're files are prefixed with:

Code:

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

The PHP file will be executed, and won't make it past that top line. Another tactic to be used in conjunction with this is to put an empty index.html file in each directory to help prevent directory listings, and then your htaccess file can add more security.

With that said, it's easier to move the system directory out of your Web root (if you have access).

EDIT: Whoops, I totally missed GSV Sleeper Service's post. Sorry...

[eluser]Daniel Moore[/eluser]
If you must have your system folder within the web root because of limitations of the hosting provider (it happens) then put an .htaccess file in the system folder with the following content:

Code:

deny from all

This will prevent anyone from gaining "accidental" access to the files unless they have ftp access.

It is always best, however, to place it outside the web root whenever possible.