[Phpmyadmin-devel] restricting or removing /setup

Michal Čihař michal at cihar.com
Sat Jul 16 11:30:22 CEST 2011


Hi

Dne Fri, 15 Jul 2011 10:50:35 -0400
Isaac Bennetch <bennetch at gmail.com> napsal(a):

> On Jul 15, 2011, at 9:35 AM, Marc Delisle <marc at infomarc.info> wrote:
> 
> > Hi,
> >
> > we got a suggestion from a user about either restricting access to
> > /setup or telling the installer to remove this directory after initial
> > setup.
> >
> > Let's discuss this...
> 
> If I remember correctly, the reason this wasn't done in the first
> place is that there's no vulnerability to leaving it exposed. The user
> moves the generated config.inc.php, and a malicious user can't write a
> new one that would be used. Additionally, users who wish to
> reconfigure later might want to run the setup; if it's removed they'll
> have to (presumably) reinstall the entire program.
> 
> If there were a good reason to remove it, then I'd certainly support
> the idea, but I don't see a compelling reason at the moment.

I've seen this in various web applications - they force you to remove
setup once installation is done.

I don't think we should make it that hard requirement, however
suggesting to remove it after setup won't hurt.

Also option would be to limit access to it for example only to
authenticated MySQL users, what would limit the audience quite a lot.

-- 
	Michal Čihař | http://cihar.com | http://phpmyadmin.cz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110716/64179c64/attachment.sig>


More information about the Developers mailing list