Installation Help

schema.sql on production systems

Permalink March 07, 2012 at 7:42 PM

In a recent network security screening of our production systems running concrete 5.4.1 we were flagged for having /concrete/config/install/schema.sql publicly viewable from any web browser. Based on this finding it has generated a discussion if the config or install directories should be publicly accessible or possible that the install directory should be removed after installation. Has anyone dealt with this issue?

mkly replied on Mar 7, 2012 at 8:37 pm Permalink Reply

Because concrete5 source code is available to anyone here and on github and that concrete5 lists the version number in the head of the served page, I don't really think that seeing the schema.sql really gives anyone anything special.

Mnkras replied on Mar 7, 2012 at 9:02 pm Permalink Reply

after concrete5 is installed, there are several checks that make sure that the installer cannot be run again, there is no risk with it being there.

Forums

Installation Help

schema.sql on production systems

Code

Post Reply

Delete Post

Mark Post as Spam

Destroy Spammer

Sign In?