• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug Install path can be access without any validation

rellect

Well-known member
#1
Perhaps this is situation which shouldn't be, I agree that install path should be removed after installation, but many may forget about it.

In vBulletin there is at least license validation. So even if user got his way to this page, he can't actually do anything.

Perhaps something similar should be added to XenForo as well.
If not license validation, so kind of other validation like config password.

I consider this bug because this may affect live sites which forgot to delete their installation path.
 

xf_phantom

Well-known member
#2
Nothing will happen if somebody calls this.

1. User needs to be admin
2. User needs to have "Upgrade XenForo" admin permissions

if not => xenforo will throw an exception
 

MattW

Well-known member
#4
In the .htaccess in that folder, I've limited access to my 2 static IP addresses, and then bounce people straight back to the index page

Code:
order deny,allow
deny from all
allow from IP1
allow from IP2

ErrorDocument 404 http://www.z22se.co.uk/
ErrorDocument 403 http://www.z22se.co.uk/