Not a bug Install path can be access without any validation

[refael]

Perhaps this is situation which shouldn't be, I agree that install path should be removed after installation, but many may forget about it.

In vBulletin there is at least license validation. So even if user got his way to this page, he can't actually do anything.

Perhaps something similar should be added to XenForo as well.
If not license validation, so kind of other validation like config password.

I consider this bug because this may affect live sites which forgot to delete their installation path.

 

[xf_phantom]

Nothing will happen if somebody calls this.

1. User needs to be admin
2. User needs to have "Upgrade XenForo" admin permissions

if not => xenforo will throw an exception

 

[refael]

Oh I forgot that I have admin session.
Thanks @xf_phantom, my mistake.

 

[MattW]

In the .htaccess in that folder, I've limited access to my 2 static IP addresses, and then bounce people straight back to the index page

order deny,allow
deny from all
allow from IP1
allow from IP2

ErrorDocument 404 http://www.z22se.co.uk/
ErrorDocument 403 http://www.z22se.co.uk/