1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug Location Admin Panel

Discussion in 'Resolved Bug Reports' started by Sergio Bambaren, Sep 3, 2010.

  1. [​IMG]
    The xxxxxx located in parent directory. Please, fix this because in the future this could create many problems.
     
  2. James

    James Well-Known Member

    I'm not quite sure what your point is. The XenForo Admin Panel is located in the same directory as index.php yes, this is not a bug.
     
  3. Floris

    Floris Guest

    Which problems? You mean admin.php and it's not hidden. You can use .htaccess/.htpasswd to protect the file.
     
    Darkimmortal and CBI Web like this.
  4. MrBrian

    MrBrian Active Member

    I think he's trying to say that the admincp shouldn't be in the same directory as the forum directory?
     
  5. Floris

    Floris Guest

    Yeah, but that's done on purpose, and I don't see how it's going to lead to problems.
     
  6. MrBrian

    MrBrian Active Member

    Me aswell. That's exactly what I wanted to imply.
     
  7. Mike

    Mike XenForo Developer Staff Member

    It isn't really a secret. As soon as the software goes out, everyone would know where the default location is, even if it were wld2297asdfkl.php :)
     
    DSF likes this.
  8. DSF

    DSF Well-Known Member

    Nice idea for safety reason. ;)
     
  9. Romchik®

    Romchik® Well-Known Member

    Hm... This is all never mind, if we can in settigs define name or path for admin.php (how in vB for admincp in config.php).
    If not, then bad.
     
  10. Forsaken

    Forsaken Well-Known Member

    How is it bad..?

    Unless the administrator account has been compromised (At which time you're already screwed), theres nothing that can really go wrong other then bruteforce, and to be quite honest, theres not bruteforcing does against secure passes :rolleyes:
     
  11. CyberAP

    CyberAP Well-Known Member

    The only one good thing when you have an /admin/ folder you can change it's name before the install and no one can guess how the folder is named if he is not admin or... hacker :rolleyes:.
     
  12. Forsaken

    Forsaken Well-Known Member

    Changing the name doesn't do much, and while its not quite obfuscation, by the time a real hacker is actually going for your ACP, they've most likely gotten your credentials.
     
  13. Onimua

    Onimua Well-Known Member

    It doesn't change anything if your account is compromised. It's no different if a hacker tries to get into your ACP directly, or just tries to log into your account on the front end, logs in and then simply clicks the link to the ACP; the end result is the same.

    That's why it's recommended you also add a .htaccess file to add another username/password combination so the ACP should the scenario above happen.
     
  14. Floris

    Floris Guest

    If there's a serious bug in the code that allows you to gain access to the back-end of the product, like "change options"

    It does not matter if the file "admin.php" is in /forum/ or /forum/adminarea/
     
  15. Brandon_R

    Brandon_R Guest

    I think people are under the impression that it's a standard to have the admincp in a directory by itself which really isn't. As long as you can protect the file admin.php then it's safe.
     

Share This Page