Author Topic: Security Issue /public/install  (Read 5981 times)

Adriaan Graas

  • Guest
Security Issue /public/install
« on: February 16, 2009, 01:14:16 pm »
Hi,

I think this is important: after the install, the public/install/index.php file is still open, and when run it will erase the config file, resulting in the system not working anymore.
Plus that anyone can attach a new database to the system.

Temporary fix could be (re)move the install directory.
Development fix, please make sure that all install files are only accessable when the install has not been completed before.

Anyway i like opengoo very much, continue the good work :)

Kind regards,

Adriaan Graas

ignacio

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
Re: Security Issue /public/install
« Reply #1 on: February 17, 2009, 09:46:14 am »
Hi Everyone,

This is a bug and can be fixed by editing file 'public/install/include.php' line 27, from:
Code: [Select]
$config_is_set = $config_path;to:
Code: [Select]
$config_is_set = @include $config_path;