Protostar
Posts: 7
Joined: 21 October 2009
Location: Sittard
|
Hi,
There is no Warning given if the install.php file is not deleted in the root (only a reminder on completion of the installation) Could be a possible security hazzard if forgotten.
Made an easy adjustment with
PHP Code Snippet
<?php
if (file_exists
?>
The Warning shows up in the Admin CP, not vissible for "normal" users. The Warning will be vissible untill the install.php file is deleted.
See screencaps
install.php present
install.php deleted
I have used the the modules_template, home.php and the lang_admin.php, to made this change.
Maybe a good idea for a next release.
Greetz,
Pat
Last edited by: Pat
- Wednesday, Oct 21, 2009 19:37.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/1997 |
Coder
Posts: 187
Joined: 23 August 2009
Location: Simferopol
|
Nice idea. Could be added in next versions. Thanks.
Last edited by: Hast
- Wednesday, Oct 21, 2009 19:29.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/1999 |
Head of Security
 Security Team
Posts: 601
Joined: 23 August 2009
Location: Heiloo
|
This wasn't in !?!?
That's shocking.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2000 |
Head of User Documentation
 User Documentation
Posts: 858
Joined: 23 August 2009
Location: Hove
|
Angelo 
This wasn't in !?!?
That's shocking.
It's shocking you din't realise! xD Only kidding ur doing great!
@Pat: Thanks for the idea!
Thanks,
Prentice
Sorry for any miss-spellings, I now use my wii for internet stuff!  |
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2004 |
Head of Security
Security Team
Posts: 601
Joined: 23 August 2009
Location: Heiloo
|
Prentice Angelo
This wasn't in !?!?
That's shocking.
It's shocking you din't realise! xD Only kidding ur doing great! @Pat: Thanks for the idea!
Yes, that too. 
But for me personally a message at the end of the installation is enough for me to think "oh shit I have to remove it"
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2179 |
Red Giant
Posts: 155
Joined: 25 October 2009
Location: United Kingdom
|
Agreed, keeping the install.php file there does create a major security issue. All other software deletes this, so it should be in NB.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2185 |
Project Leader
 Project Manager
Posts: 739
Joined: 17 August 2009
Location: Manchester
|
Alternatively, it could either be auto-deleted by the installer, or renamed so it's only accessible via FTP etc.
James
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2187 |
Head of Security
Security Team
Posts: 601
Joined: 23 August 2009
Location: Heiloo
|
Deletion can be done easily through PHP.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2188 |
Red Giant
Posts: 155
Joined: 25 October 2009
Location: United Kingdom
|
Why not have an option? Leave, rename, or delete. You will also have the option to delete it if it hasn't been already, in the Admin CP. That would be so much better for different reasons.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2189 |
Project Leader
Project Manager
Posts: 739
Joined: 17 August 2009
Location: Manchester
|
Good point. Although, saying that, wouldn't it just be simpler to have a link at the end of the installer to delete itself, then redirect to the site index?
James
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2190 |
Head of Security
Security Team
Posts: 601
Joined: 23 August 2009
Location: Heiloo
|
I can't name any reasons for that at all. Why would you want to keep the install.php? It's useless after you installed it. So removing manually would be good, and if the action of deleting failed, give the user a warning message.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2196 |
Coder
Posts: 187
Joined: 23 August 2009
Location: Simferopol
|
such different opinions... So what should I do? delete it automatically or like in topic head? I confused.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2197 |
Project Leader
Project Manager
Posts: 739
Joined: 17 August 2009
Location: Manchester
|
How about CHMODding it so it can't be read etc apart from by FTP?
I always keep my install file handy just in case.
Of course, it's totally renamed, unreadable etc.
James
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2272 |
Protostar
Posts: 7
Joined: 21 October 2009
Location: Sittard
|
My humble opinion;
With these things you should look at the worst case scenario. Not everyone (with respect) has the knowledge what this file can cause if it still remains in the root. If you are a professionals, like you, it is a common issue to delete or rename it, but if you are a novice then it could go wrong.
I foresee this; if someone starts a Novaboard and forgot the file, after some time the board is running with allot of members/posts, and oops someone misused the install file. Thats no good advertising for Novaboard.
A good alternative could be that on the end screen after the installation you could place a checkbox (which is checked) with the text The install file will be deleted after you press submit after that you will be logged in on the board. In this case you can always choose not to delete the install file.
But as said its my humble opinion. 
Keep up the good work, so that Novaboard will become a big player in the forum world. 
Greetz,
Pat
Last edited by: Pat
- Monday, Oct 26, 2009 12:51.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2274 |
Project Leader
Project Manager
Posts: 739
Joined: 17 August 2009
Location: Manchester
|
Fair enough - can this be implemented in 1.2.0 then?
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2275 |
Head of Security
Security Team
Posts: 601
Joined: 23 August 2009
Location: Heiloo
|
Sure. Add it to the list.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2308 |
Protostar
Posts: 8
Joined: 26 October 2009
|
Would be best if it disabled the admin control panel until it was deleted then you wouldn't be able to overlook it.
Last edited by: Dreams
- Monday, Oct 26, 2009 16:27.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2309 |
Project Leader
Project Manager
Posts: 739
Joined: 17 August 2009
Location: Manchester
|
?
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2311 |
Head of Core Development
Posts: 222
Joined: 23 August 2009
Location: Rochdale, UK
|
James
?
I think he means disallow access to the forum. This is what MyBB does, until you delete the installer, you can't access the forums.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2312 |
Head of User Documentation
User Documentation
Posts: 858
Joined: 23 August 2009
Location: Hove
|
I think he means that the admin panel should be deleted if it is still there but I don't think so...
Thanks,
Prentice
Sorry for any miss-spellings, I now use my wii for internet stuff! |
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2313 |
Project Leader
Project Manager
Posts: 739
Joined: 17 August 2009
Location: Manchester
|
Thought he meant something like that, but wasn't sure.
That's an alternative, but I think it's easier to let people decide whether to have install.php there or not, as opposed to specifying that it can't be there. Some people (myself included) keep it, albeit under a different name, once the install has completed.
I think we should stick to the checkbox right at the end, but it needs to be made clear what will happen if the user unchecks the box - perhaps have an alert too?
James
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2316 |
Protostar
Posts: 8
Joined: 26 October 2009
|
Sorry i wasn't very clear i have edited my post, cpanel = admincp 
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2320 |
Coder
Posts: 94
Joined: 24 August 2009
Location: London
|
If the install.php has not been deleted, restrict access to the Admin CP. Have a checkbox on that page to confirm they know, and store it in their session. On next visit, same thing gets asked etc.
That way, they can either just delete it, rename it, or keep it, and still have access to their Admin CP.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2322 |
Project Leader
Project Manager
Posts: 739
Joined: 17 August 2009
Location: Manchester
|
Is that over complicating things though?
At the end of the day, the simplest solution is to either have the installation procedures in the admin panel after the main installation (or something like that) or, of course, nuke the bugger.
James
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2323 |
Coder
Posts: 94
Joined: 24 August 2009
Location: London
|
I wouldn't say overcomplicating things, no. It's a security measure. You cannot always 100% guarantee that you will be able to remove the install.php file with PHP because of it's permissions anyway.
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/2327 |
Project Leader
Project Manager
Posts: 739
Joined: 17 August 2009
Location: Manchester
|
OK well how about a slightly different idea. Remember, I'm not a PHP coder, so I'll kinda write in normal language.
maintenance.php:
Contains installer, recaching, purging, and resyncing functions, plus optimizers etc
When the file is opened, it looks for a settings file to see if the software has been installed or not. If it has, it shows a login screen where only Administrators with Site Settings can enter.
When the software is first uploaded, there is no settings file to locate the database with, so the file shows the installer straight off.
When the admin logs in, he/she has the option to reinstall, recache the board, purge categories etc, and all of the other little used optimization things.
James
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/3501 |
Protostar
Posts: 56
Joined: 26 December 2009
Location: Ontario
|
James
OK well how about a slightly different idea. Remember, I'm not a PHP coder, so I'll kinda write in normal language.
maintenance.php:
Contains installer, recaching, purging, and resyncing functions, plus optimizers etc
When the file is opened, it looks for a settings file to see if the software has been installed or not. If it has, it shows a login screen where only Administrators with Site Settings can enter.
When the software is first uploaded, there is no settings file to locate the database with, so the file shows the installer straight off.
When the admin logs in, he/she has the option to reinstall, recache the board, purge categories etc, and all of the other little used optimization things.
James
Why not just put all that in the AdminCP,those options seem pretty good?
Personally for this I would have a checkbox whether they want to delete the file or not. If they choose not to delete the file, NovaBoard would automatically rename the file based on time. install.php => 03132009 or whatever.
PHP Code Snippet
<?php echo "Insert text here";?>
|
|
Top
|
|
|
|
Use the following URL to link to this post: http://community.novaboard.net/findpost/3506 |
Protostar
Posts: 11
Joined: 30 October 2009
|
In addition, for those that do forget an auto-lock could be added to the installer where after a successful installation the install.php file auto-locks itself from being used again unless changed via FTP to unlock it.
|
|
Top
|
|
|
|
|
|
