[Vtigercrm-developers] Potential Security Vulnerability
Mike Fedyk
mfedyk at mikefedyk.com
Thu Feb 23 10:22:47 PST 2006
I have made a few comments about this patch to Brian on IRC and a couple
things have changed.
Brian Devendorf wrote:
>I have created a new proposal for addressing this issue. My new patch
>creates a config_lock.php file upon completion of the last
>installation step.
>
>
The new file name is "install_lock"
>When the install.php file is called directly: If config.php is setup
>with a database (existing config check) and a config_lock.php file
>exists in the vtiger root, then it redirects back to index.php.
>
>The config_lock.php file has text indicating it needs to be deleted
>to enable the install functions.
>
>As an additional precaution, the scripts that are in the install
>directory are coded to prevent direct execution if the lock file
>exists in the parent directory (vtiger's root).
>
>I have already created a patch for this and updated my previous
>ticket (#25) in Trac. There is little time to RC and I'd like to have
>a solution in 4.2.4. I feel that it is important to provide a certain
>level of security for even the most inexperienced installers. I think
>this does that... and does it without deleting the install directory.
>
>Comments are welcome (but please do so quickly, so that I have time
>to get a solution into 4.2.4).
>Thanks.
>
>Brian
>
I like the patch, but would like to see if others agree it is the right
way to go before merging.
Mike
More information about the vtigercrm-developers
mailing list