From: Michael M Slusarz Date: Thu, 22 Apr 2010 17:47:35 +0000 (-0600) Subject: Disable test script by default X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=055b46239d41c44d0dc8363929bd6ea4257f347c;p=horde.git Disable test script by default --- diff --git a/horde/config/conf.php.dist b/horde/config/conf.php.dist index ccfd524f7..dee825d2e 100644 --- a/horde/config/conf.php.dist +++ b/horde/config/conf.php.dist @@ -55,8 +55,9 @@ $conf['cookie']['domain'] = $_SERVER['SERVER_NAME']; // http://lists.horde.org/archives/imp/Week-of-Mon-20030113/029149.html $conf['cookie']['path'] = '/horde'; -// Disable the test script (horde/test.php)? -$conf['testdisable'] = false; +// Disable the test script (horde/test.php)? For security reasons, this is +// disabled by default. +$conf['testdisable'] = true; // YOU SHOULDN'T CHANGE ANTHING BELOW THIS LINE. $conf['debug_level'] = E_ALL & ~E_NOTICE; diff --git a/horde/config/conf.xml b/horde/config/conf.xml index fd3e5f5b7..0411bc07b 100644 --- a/horde/config/conf.xml +++ b/horde/config/conf.xml @@ -34,7 +34,8 @@ with? This will affect the permissions on any temporary files that are created. This value is an integer.">077 false + (horde/test.php)? For security reasons, this is disabled by + default">true diff --git a/horde/docs/INSTALL b/horde/docs/INSTALL index 627ba3a3a..8642d0f03 100644 --- a/horde/docs/INSTALL +++ b/horde/docs/INSTALL @@ -110,7 +110,9 @@ below at Prerequisites_. 7. Test Horde:: + [edit horde/config/conf.php and set 'testdisable' to false] http://your-server/horde/test.php + [SECURITY: edit horde/config/conf.php and set 'testdisable' to true] 8. Finish configuration:: @@ -624,6 +626,10 @@ Configuring Horde http://your-server/horde/test.php + The test script is disabled by default for security reasons. To enable + set the 'testdisable' configuration option to false. After testing is + completed, the testdisable option should be reset to true. + Check that your PHP and PEAR versions are acceptably recent, that all required module capabilities are present, and that ``magic_quotes_runtime`` is set to ``Off``. Then note the ``Session counter: 1`` line under ``PHP diff --git a/horde/docs/SECURITY b/horde/docs/SECURITY index 2a13ee26c..ad4693fb4 100644 --- a/horde/docs/SECURITY +++ b/horde/docs/SECURITY @@ -99,13 +99,17 @@ etc. that may be in use on your server. .. _INSTALL: ?f=INSTALL.html -Restricting test.php files -========================== +Restricting the test script +=========================== + +The test script (``horde/test.php``) provides a wealth of information that can +be used against the site by attackers. This script is disabled by default for +this reason. + +This script is configured via the 'testdisable' configuration option. -The ``test.php`` files provide a wealth of information that can be used -against the site by attackers. One you have confirmed that everything is -working, you should disable access to the test.php files, which can be done by -setting 'testdisable' to true in the Horde configuration. +After manually enabling the script, and once you have confirmed that +everything is working, you should disable access to the test script. Preventing Apache from serving configuration and source files diff --git a/horde/test.php b/horde/test.php index efa110729..a0756248a 100644 --- a/horde/test.php +++ b/horde/test.php @@ -47,7 +47,7 @@ try { } if (!empty($conf['testdisable'])) { - _hordeTestError('Horde test scripts have been disabled in the local configuration.'); + _hordeTestError('Horde test scripts have been disabled in the local configuration. To enable, change the \'testdisable\' setting in horde/config/conf.php to false.'); } /* We should have loaded the String class, from the Horde_Util package. If it