Installer still present

Michael · September 27, 2006

I think the 'Installer still present' red error box should be moved from the main ACP page to the Security Center page. It just seems to me to be something that fits in with the other Security options on that page.

Brandon C · September 27, 2006

But it certainly gets one's attention enough to do something about it.

I personally think you shouldn't be allowed to login to the ACP unless you have deleted the /install directory.

harmor · September 27, 2006

You can still access the ACP even if the installer wasn't deleted?
I think IPS should force people to delete it before they can access the control panel.

Keven Fox · September 27, 2006

Doesn't really matter to me at all, I have enough sense to delete the directory :)

UBERHOST.NET · September 27, 2006

I say move it to the Security Center page, then make that page come up default when there is a security issue to fix.

Michael · September 27, 2006

You don't really need to remove the whole directory, just the index.php file. And even then, they'd need your password to do any damage.

Mat Barrie · September 27, 2006

And as a side note, the manual tells you NOT to delete the install directory. It says you should delete index.php, but that is IT.

Keven Fox · September 27, 2006

It doesn't hurt, I've had no problems deleting the directory :P

Microo · September 27, 2006

It won

harmor · September 28, 2006

It won

Brandon C · September 28, 2006

Doesn't really matter to me at all, I have enough sense to delete the directory :)

Same here, but some people do not. I always delete the install and upgrade directories after each install/upgrade. :)

I was just suggesting it as I felt IPS should implement that in as an added security feature.

Microo · September 28, 2006

That's why there should be a message saying "index.php is still present in the install directory."

If you're not smart enough to delete a file than you're not smart enough to install IPB in the first place.

Exactly, my point was that they shouldn

richstar · September 28, 2006

I would go one step further and prohibit use of the board entirely until the install.php file is removed from the installation directory. If people do not understand that an important part of the installation is to remove the installer before going "click to log in" then they really shouldn't be doing the install IMO.

dwhitehouse · September 28, 2006

That may sound good in theory, but if people try to connect to your board and cant access it, its 1 of 2 things. You have turned it off, or you forgot your installer, and then in that case they may just go and reinstall your forum.

I like the idea of moving it to the security panel, and when there is a security update it loads that page first. +1

Brandon C · September 28, 2006

That may sound good in theory, but if people try to connect to your board and cant access it, its 1 of 2 things. You have turned it off, or you forgot your installer, and then in that case they may just go and reinstall your forum.

I like the idea of moving it to the security panel, and when there is a security update it loads that page first. +1

Well it would tell them that they needed to remove the install/index.php file or the install directory before they could continue.

RaDiOAcTiVe · September 28, 2006

i think differently. i think that it attracts more attention on the admin page. maybe you can do both since it is a good idea...

PolakTom101 · September 28, 2006

I thnik it should stay. I noticed when installing IPB 2.2 over and over since i missed around with it to much I usually forgot about install/index.php file so it's nice when u login into the ACP it stands out there and not in the Help & Supprot Section where u don't vistit to often.

richstar · September 28, 2006

I guess its a question of letting the admin know they have left the installer in play, but not letting anyone else know. That's why it's important that a board not be left too long in it's default state, even if the admin creates five or six accounts and makes spurious posts to give anyone the idea it is a fully installed board actively in use rather than a just installed board so they go looking for the /install/index.php file.

In any case IPB requires the admin to have created a database prior to installation.

I would leave it in the ACP in that case. I now appreciate the subtlety of not advertising the fact to the world that the installer is still there.

Mat Barrie · September 28, 2006

Bearing in mind that even with the installer present, it will not run with install.lock present anyway :)

If an exploiter can remove that file, they have the potential to do more damage than resetting your posts and the like.

Michael · September 28, 2006

Exactly. Is not deleting it a security risk? Sure. Is it as risky as leaving the CHMOD of conf_global.php at 777? I wouldn't think so. I just think this setting deserves to be on the Security Center page along with all other similar security threats from the files/settings on the board.

Strange_Will · September 28, 2006

Doesn't really matter to me at all, I have enough sense to delete the directory :)

There are other files in the install directory used in the skin tools for rebuilding things.

I found that out the hard way ;)

Mat Barrie · September 28, 2006

There are other files in the install directory used in the skin tools for rebuilding things.

I found that out the hard way ;)

I assume Reversion requires the original Skin SQL in that directory or some such. It makes sense, why duplicate data in the database?

Quillz · September 28, 2006

I would go one step further and prohibit use of the board entirely until the install.php file is removed from the installation directory. If people do not understand that an important part of the installation is to remove the installer before going "click to log in" then they really shouldn't be doing the install IMO.

I agree. With vBulletin, you are forced to remove the installation files before you are allowed access to the ACP. This would be a good idea for IPB to adopt, as well.

Mat Barrie · September 28, 2006

I agree. With vBulletin, you are forced to remove the installation files before you are allowed access to the ACP. This would be a good idea for IPB to adopt, as well.

Except that certain ACP functionality requires the Installation files to be present. (With the obvious exception of Index.php)

IPB locks the installation out unless install.lock is removed anyway, and like I said before - if an exploiter is able to remove install.lock, you have bigger problems on your hands than them running the installer.

Quillz · September 28, 2006

Except that certain ACP functionality requires the Installation files to be present. (With the obvious exception of Index.php)

IPB locks the installation out unless install.lock is removed anyway, and like I said before - if an exploiter is able to remove install.lock, you have bigger problems on your hands than them running the installer.

I know that you need the /install/ file. You should be locked out of the ACP for the first time until you remove /index.php, like what vBulletin already does.

Five Invision Community 5 features your team will love

Five Invision Community 5 features your members will love

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

Installer still present

Recommended Posts

Michael

Brandon C

harmor

Keven Fox

UBERHOST.NET

Michael

Mat Barrie

Keven Fox

Microo

harmor

Brandon C

Microo

richstar

dwhitehouse

Brandon C

RaDiOAcTiVe

PolakTom101

richstar

Mat Barrie

Michael

Strange_Will

Mat Barrie

Quillz

Mat Barrie

Quillz

Archived

Recently Browsing 0 members

More