Menu
▾
▴
Re: [WebERP-developers] [webERP-users] Possible to over-write your webERP configuration file config.php
|
From: Ricard A. <pak...@gm...> - 2011-12-31 07:59:56
|
Hi Tim:: If webERP it's already installed, why do we need to keep the install directory? Isn't it cleaner if we just delete it? Regards, Ricard 2011/12/30 Tim Schofield <ti...@we...> > To protect ourselves in future maybe the install routine could rename > the install directory to a random string or delete it altogether? I > have seen both done in other projects I have been involved with. > > There will always be these stupid people with too much time on their > hands and not enough to do with their lives! > > Tim > > > On 30 December 2011 08:21, Phil Daintree <ph...@lo...> wrote: > > I have had contact with someone else who has also had their config.php > > file over-written by an external fool using this method described below. > > It seems someone is googleing exposed webERP installs and compromising > > them so immediate action is recommended to delete your install directory > > under the webERP installation. > > > > Also wise to change the permissions to ensure that your config.php file > > is not writable by the web-server - so it cannot be over-written. > > > > I expect many will already have done this, but in case you haven't > > already, another useful protection from this sort of thing is to have > > your webERP install inside an apache protected directory so a password > > is required for all users to even get to the directory where you have > > webERP installed: > > > > http://httpd.apache.org/docs/2.0/howto/auth.html > > > > This is very easy with GUI tools under cpanel > > > > Phil > > > > Phil Daintree > > Logic Works Ltd - +64 (0)275 567890 > > http://www.logicworks.co.nz > > > > On 30/12/11 20:20, Phil Daintree wrote: > >> I have been made aware of an issue where if a user goes to > >> webERP/install/index.php URL they can by mistake (and without any > >> permissions) create a new webERP installation that writes config.php > >> over your existing installation - most liklely they will not know the > >> passwords etc to create the database but it will be inconvenient to have > >> to get your config.php back from a backup off your web-server. > >> > >> I have modified the install scripts to check for a pre-existing > >> config.php before the script attempts to run for future installs, but > >> for those of you with existing installations I suggest deleting all the > >> scripts in the install directory. > >> > > > > > ------------------------------------------------------------------------------ > > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > > infrastructure or vast IT resources to deliver seamless, secure access to > > virtual desktops. With this all-in-one solution, easily deploy virtual > > desktops for less than the cost of PCs and save 60% on VDI infrastructure > > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > > _______________________________________________ > > web-ERP-users mailing list > > web...@li... > > https://lists.sourceforge.net/lists/listinfo/web-erp-users > > > > -- > WebERP Africa Ltd > +447710427049 > +254706554559 > www.weberpafrica.com > > > ------------------------------------------------------------------------------ > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > infrastructure or vast IT resources to deliver seamless, secure access to > virtual desktops. With this all-in-one solution, easily deploy virtual > desktops for less than the cost of PCs and save 60% on VDI infrastructure > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |