Maybe i'm too oldskool. Should we be deleting the admin install and upgrade files?

IALPA · September 27, 2023

Hello,

Just want to keep this very short. I've upgraded a VERY old v3 board a week or so ago. I'm showing my age by saying I distinctly remember in the old days being warned and instructed to REMOVE/DELETE the admin install and upgrade folders after your board was installed properly to avoid another avenue of attack or vunerability.

My new 4.7 board is fine, the upgrade and conversion to utf-8 is done. In keeping with what I knew, I removed the following folders:

/admin/upgrade

/admin/install

/admin/convertutf8

However now when I visit my control panel and have a look at the support area I have a critical issue!

It's complaining that all the install files are gone!

So - what's the official position? do we leave the install and upgrade files alone on the system? I'm not sure I'm happy with users being able to hit example.com/admin/install without any restrictions!

Thank you.

(Yes I'm old).🤣

Miss_B · September 28, 2023

10 hours ago, IALPA said:

I'm not sure I'm happy with users being able to hit example.com/admin/install without any restrictions!

On a current forum the install page will go to the upgrade one. And it is locked. You can change the name of the admin folder/path if it will make you feel better.

Marc · September 28, 2023

You should upload those folders. There is no need to remove those as you once did.

IALPA · September 28, 2023

Ok well thanks for getting back to me. I'll take your advice and put the files back.

I'm sure you've had discussions about this during your development over the years but it does just feel a bit strange letting absolutely anyone hit an install/upgrade URL. Everyone being able to see some details about the database/applications installed and their status seems unusual.

At least the critical error disappears!

Jim M · September 28, 2023

3 minutes ago, IALPA said:

Ok well thanks for getting back to me. I'll take your advice and put the files back.

I'm sure you've had discussions about this during your development over the years but it does just feel a bit strange letting absolutely anyone hit an install/upgrade URL. Everyone being able to see some details about the database/applications installed and their status seems unusual.

At least the critical error disappears!

The install folder should redirect to the upgrade and the upgrade folder will be password protected if there is anything of concern which an individual can do there. You could, of course, limit access to this directory through your hosting provider's firewall should you feel uneasy about it.

Miss_B · September 28, 2023

18 minutes ago, IALPA said:

Everyone being able to see some details about the database/applications installed and their status seems unusual.

There are no database details shown at all at that url.

Edited September 28, 2023 by Miss_B

IALPA · September 28, 2023

Ok thank you.

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

Invision Community 4: A more professional report center

Invision Community 5: A video walkthrough creating a custom theme and homepage

Maybe i'm too oldskool. Should we be deleting the admin install and upgrade files?

Recommended Posts

IALPA

Miss_B

Marc

IALPA

Jim M

Miss_B

IALPA

Recently Browsing 0 members

More