Disable test script by default

diff --git a/horde/config/conf.php.dist b/horde/config/conf.php.dist
index ccfd524..dee825d 100644 (file)
--- a/horde/config/conf.php.dist
+++ b/horde/config/conf.php.dist
@@ -55,8 +55,9 @@ $conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
 //    http://lists.horde.org/archives/imp/Week-of-Mon-20030113/029149.html
 $conf['cookie']['path'] = '/horde';
 
-// Disable the test script (horde/test.php)?
-$conf['testdisable'] = false;
+// Disable the test script (horde/test.php)? For security reasons, this is
+// disabled by default.
+$conf['testdisable'] = true;
 
 // YOU SHOULDN'T CHANGE ANTHING BELOW THIS LINE.
 $conf['debug_level'] = E_ALL & ~E_NOTICE;

diff --git a/horde/config/conf.xml b/horde/config/conf.xml
index fd3e5f5..0411bc0 100644 (file)
--- a/horde/config/conf.xml
+++ b/horde/config/conf.xml
@@ -34,7 +34,8 @@
   with? This will affect the permissions on any temporary files that are
   created. This value is an integer.">077</configinteger>
   <configboolean name="testdisable" desc="Disable the test script
-  (horde/test.php)?">false</configboolean>
+  (horde/test.php)? For security reasons, this is disabled by
+  default">true</configboolean>
   <configstring name="tmpdir" required="false" desc="If you want to use a
   temporary directory other than the system default or the one specified in
   php's upload_tmp_dir value, enter it here."/>

diff --git a/horde/docs/INSTALL b/horde/docs/INSTALL
index 627ba3a..8642d0f 100644 (file)
--- a/horde/docs/INSTALL
+++ b/horde/docs/INSTALL
@@ -110,7 +110,9 @@ below at Prerequisites_.
 
 7. Test Horde::
 
+     [edit horde/config/conf.php and set 'testdisable' to false]
      http://your-server/horde/test.php
+     [SECURITY: edit horde/config/conf.php and set 'testdisable' to true]
 
 8. Finish configuration::
 
@@ -624,6 +626,10 @@ Configuring Horde
 
       http://your-server/horde/test.php
 
+   The test script is disabled by default for security reasons. To enable
+   set the 'testdisable' configuration option to false. After testing is
+   completed, the testdisable option should be reset to true.
+
    Check that your PHP and PEAR versions are acceptably recent, that all
    required module capabilities are present, and that ``magic_quotes_runtime``
    is set to ``Off``. Then note the ``Session counter: 1`` line under ``PHP

diff --git a/horde/docs/SECURITY b/horde/docs/SECURITY
index 2a13ee2..ad4693f 100644 (file)
--- a/horde/docs/SECURITY
+++ b/horde/docs/SECURITY
@@ -99,13 +99,17 @@ etc. that may be in use on your server.
 .. _INSTALL: ?f=INSTALL.html
 
 
-Restricting test.php files
-==========================
+Restricting the test script
+===========================
+
+The test script (``horde/test.php``) provides a wealth of information that can
+be used against the site by attackers.  This script is disabled by default for
+this reason.
+
+This script is configured via the 'testdisable' configuration option.
 
-The ``test.php`` files provide a wealth of information that can be used
-against the site by attackers.  One you have confirmed that everything is
-working, you should disable access to the test.php files, which can be done by
-setting 'testdisable' to true in the Horde configuration.
+After manually enabling the script, and once you have confirmed that
+everything is working, you should disable access to the test script.
 
 
 Preventing Apache from serving configuration and source files

diff --git a/horde/test.php b/horde/test.php
index efa1107..a075624 100644 (file)
--- a/horde/test.php
+++ b/horde/test.php
@@ -47,7 +47,7 @@ try {
 }
 
 if (!empty($conf['testdisable'])) {
-    _hordeTestError('Horde test scripts have been disabled in the local configuration.');
+    _hordeTestError('Horde test scripts have been disabled in the local configuration. To enable, change the \'testdisable\' setting in horde/config/conf.php to false.');
 }
 
 /* We should have loaded the String class, from the Horde_Util package. If it