Inside each of these folders is a folder called uuid containing a page and file folder. inside of which is a LOT of cache files.
I believe the website is Wordpress.
I’ve contacted my hosting provider and they said “I can confirm that there’s no cause for concern. These references are likely the result of automated processes or background activity that occasionally occur in shared hosting environments. Rest assured, your site remains secure and unaffected by this activity.”
These cache files have remained on my server for several months.
Is this super weird and something that needs to be resolved, or something to expect on a shared server? Is this anything to do with using Kirby?
What is actually inside those cache files, do they contain references to your site? Normally, these files inside the uuid folder contain content like this:
i remember having seen this on shared hosting before. i think its caused by what the host sets in the $_SERVER vars for host and such. kirby is tricked into creating the uuid cache for domains it you do not own.
for one you can remove all those directories.
second, forcing the „base url“ might prevent this from happening again. url | Kirby CMS
– these folders contain cache files to my website, and from the files I’ve checked contain only files from my website. Even though I have no connect to the other domains
I believe if the server is the local host it will allow me to access all local subfolders / different versions / iterations of the site locally – and if it is not the local host it sets the base URL to only my domain?
Seems to be working so far. On the live sever the cache files for other domains have not so far been recreated. And I can also all my local sites.
Thanks for pinging me. Because of the security relevance, I have unlisted this topic for now.
As I already wrote in my email in February, we need additional information to track this down. With the default url configuration (with no custom url option set), Kirby only retrieves the server name from the $_SERVER['SERVER_NAME'] variable, which is set directly by the web server, typically (and expected) based on the fixed web server configuration (server name of the respective vhost). So it shouldn’t occur that this variable is set to a dynamic value that can be controlled by the visitor.
Open questions for further investigation (to @Mark_E and @flokosiol):
Which web server software (nginx, Apache, Caddy etc.) do you use on the servers that are affected by this issue?
Would it be possible to provide an example web server configuration? If you don’t want to post it here, feel free to send it to lukas@getkirby.com.
Which Kirby version do you use on the affected server(s)?
For later reference: Mark’s hosting provider uses the LiteSpeed server with .htaccess. Either LiteSpeed has this behavior by default or the specific hosting provider has misconfigured it.
