[Phpmyadmin-devel] restricting or removing /setup

Isaac Bennetch bennetch at gmail.com
Fri Jul 15 16:50:35 CEST 2011


On Jul 15, 2011, at 9:35 AM, Marc Delisle <marc at infomarc.info> wrote:

> Hi,
>
> we got a suggestion from a user about either restricting access to
> /setup or telling the installer to remove this directory after initial
> setup.
>
> Let's discuss this...

If I remember correctly, the reason this wasn't done in the first
place is that there's no vulnerability to leaving it exposed. The user
moves the generated config.inc.php, and a malicious user can't write a
new one that would be used. Additionally, users who wish to
reconfigure later might want to run the setup; if it's removed they'll
have to (presumably) reinstall the entire program.

If there were a good reason to remove it, then I'd certainly support
the idea, but I don't see a compelling reason at the moment.

[snip]




More information about the Developers mailing list