1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug Install path can be access without any validation

Discussion in 'Resolved Bug Reports' started by rellect, Aug 10, 2013.

  1. rellect

    rellect Well-Known Member

    Perhaps this is situation which shouldn't be, I agree that install path should be removed after installation, but many may forget about it.

    In vBulletin there is at least license validation. So even if user got his way to this page, he can't actually do anything.

    Perhaps something similar should be added to XenForo as well.
    If not license validation, so kind of other validation like config password.

    I consider this bug because this may affect live sites which forgot to delete their installation path.
     
  2. xf_phantom

    xf_phantom Well-Known Member

    Nothing will happen if somebody calls this.

    1. User needs to be admin
    2. User needs to have "Upgrade XenForo" admin permissions

    if not => xenforo will throw an exception
     
  3. rellect

    rellect Well-Known Member

    Oh I forgot that I have admin session.
    Thanks @xf_phantom, my mistake.
     
  4. MattW

    MattW Well-Known Member

    In the .htaccess in that folder, I've limited access to my 2 static IP addresses, and then bounce people straight back to the index page

    Code:
    order deny,allow
    deny from all
    allow from IP1
    allow from IP2
    
    ErrorDocument 404 http://www.z22se.co.uk/
    ErrorDocument 403 http://www.z22se.co.uk/
     
    Moshe1010 and Andrej like this.

Share This Page