Not a bug Location Admin Panel

TAIFUN · Sep 3, 2010

The xxxxxx located in parent directory. Please, fix this because in the future this could create many problems.

James · Sep 3, 2010

I'm not quite sure what your point is. The XenForo Admin Panel is located in the same directory as index.php yes, this is not a bug.

Floris · Sep 3, 2010

Which problems? You mean admin.php and it's not hidden. You can use .htaccess/.htpasswd to protect the file.

MrBrian · Sep 3, 2010

I think he's trying to say that the admincp shouldn't be in the same directory as the forum directory?

Floris · Sep 3, 2010

Yeah, but that's done on purpose, and I don't see how it's going to lead to problems.

MrBrian · Sep 3, 2010

Floris said:
I don't see how it's going to lead to problems.

Me aswell. That's exactly what I wanted to imply.

Mike · Sep 3, 2010

It isn't really a secret. As soon as the software goes out, everyone would know where the default location is, even if it were wld2297asdfkl.php

DSF · Sep 3, 2010

Mike said:
It isn't really a secret. As soon as the software goes out, everyone would know where the default location is, even if it were wld2297asdfkl.php

Nice idea for safety reason.

Romchik® · Sep 3, 2010

Mike said:
It isn't really a secret. As soon as the software goes out, everyone would know where the default location is, even if it were wld2297asdfkl.php

Hm... This is all never mind, if we can in settigs define name or path for admin.php (how in vB for admincp in config.php).
If not, then bad.

Forsaken · Sep 3, 2010

Romchik® said:
Hm... This is all never mind, if we can in settigs define name or path for admin.php (how in vB for admincp in config.php).
If not, then bad.

How is it bad..?

Unless the administrator account has been compromised (At which time you're already screwed), theres nothing that can really go wrong other then bruteforce, and to be quite honest, theres not bruteforcing does against secure passes

.

CyberAP · Sep 3, 2010

The only one good thing when you have an /admin/ folder you can change it's name before the install and no one can guess how the folder is named if he is not admin or... hacker

.

Forsaken · Sep 3, 2010

CyberAP said:
The only one good thing when you have an /admin/ folder you can change it's name before the install and no one can guess how the folder is named if he is not admin or... hacker .

Changing the name doesn't do much, and while its not quite obfuscation, by the time a real hacker is actually going for your ACP, they've most likely gotten your credentials.

Onimua · Sep 3, 2010

CyberAP said:
The only one good thing when you have an /admin/ folder you can change it's name before the install and no one can guess how the folder is named if he is not admin or... hacker .

It doesn't change anything if your account is compromised. It's no different if a hacker tries to get into your ACP directly, or just tries to log into your account on the front end, logs in and then simply clicks the link to the ACP; the end result is the same.

That's why it's recommended you also add a .htaccess file to add another username/password combination so the ACP should the scenario above happen.

Floris · Sep 3, 2010

If there's a serious bug in the code that allows you to gain access to the back-end of the product, like "change options"

It does not matter if the file "admin.php" is in /forum/ or /forum/adminarea/

Brandon_R · Sep 3, 2010

I think people are under the impression that it's a standard to have the admincp in a directory by itself which really isn't. As long as you can protect the file admin.php then it's safe.

Not a bug Location Admin Panel

TAIFUN

Active member

James

Well-known member

Floris

Guest

MrBrian

Active member

Floris

Guest

MrBrian

Active member

Mike

XenForo developer

DSF

Well-known member

Romchik®

Well-known member

Forsaken

Well-known member

CyberAP

Well-known member

Forsaken

Well-known member

Onimua

Well-known member

Floris

Guest

Brandon_R

Guest

Similar threads

We value your privacy