IALPA Posted September 27, 2023 Posted September 27, 2023 Hello, Just want to keep this very short. I've upgraded a VERY old v3 board a week or so ago. I'm showing my age by saying I distinctly remember in the old days being warned and instructed to REMOVE/DELETE the admin install and upgrade folders after your board was installed properly to avoid another avenue of attack or vunerability. My new 4.7 board is fine, the upgrade and conversion to utf-8 is done. In keeping with what I knew, I removed the following folders: /admin/upgrade /admin/install /admin/convertutf8 However now when I visit my control panel and have a look at the support area I have a critical issue! It's complaining that all the install files are gone! So - what's the official position? do we leave the install and upgrade files alone on the system? I'm not sure I'm happy with users being able to hit example.com/admin/install without any restrictions! Thank you. (Yes I'm old).🤣
Miss_B Posted September 28, 2023 Posted September 28, 2023 10 hours ago, IALPA said: I'm not sure I'm happy with users being able to hit example.com/admin/install without any restrictions! On a current forum the install page will go to the upgrade one. And it is locked. You can change the name of the admin folder/path if it will make you feel better.
Marc Posted September 28, 2023 Posted September 28, 2023 You should upload those folders. There is no need to remove those as you once did.
IALPA Posted September 28, 2023 Author Posted September 28, 2023 Ok well thanks for getting back to me. I'll take your advice and put the files back. I'm sure you've had discussions about this during your development over the years but it does just feel a bit strange letting absolutely anyone hit an install/upgrade URL. Everyone being able to see some details about the database/applications installed and their status seems unusual. At least the critical error disappears!
Jim M Posted September 28, 2023 Posted September 28, 2023 3 minutes ago, IALPA said: Ok well thanks for getting back to me. I'll take your advice and put the files back. I'm sure you've had discussions about this during your development over the years but it does just feel a bit strange letting absolutely anyone hit an install/upgrade URL. Everyone being able to see some details about the database/applications installed and their status seems unusual. At least the critical error disappears! The install folder should redirect to the upgrade and the upgrade folder will be password protected if there is anything of concern which an individual can do there. You could, of course, limit access to this directory through your hosting provider's firewall should you feel uneasy about it.
Miss_B Posted September 28, 2023 Posted September 28, 2023 (edited) 18 minutes ago, IALPA said: Everyone being able to see some details about the database/applications installed and their status seems unusual. There are no database details shown at all at that url. Edited September 28, 2023 by Miss_B
Recommended Posts