You are browsing the documentation for iTop 2.7 which is not the current version.

Consider browsing to iTop 3.2 documentation

Protect iTop setup

Why

The setup wizard used during first install could be disabled to reduce attack surface. Two files are particularly concerned :

  • setup/index.php : of course
  • setup/phpinfo.php : gives lots of informations about the system (note that risk is mitigated by adding authentication since iTop 2.5.2, 2.6.1 and 2.7.0)

How

You shouldn't remove the whole setup/ directory as it contains files that are necessary for iTop.

Instead you could block web access using a file appropriate to the web server you're using. Such files are already present in the data/ directory, for example :

* Apache httpd : https://github.com/Combodo/iTop/blob/develop/data/.htaccess

* Microsoft IIS : https://github.com/Combodo/iTop/blob/develop/data/web.config

iTop update

To ease iTop update, you might want to automate the procedure. See Automated installation.

2_7_0/install/itop_setup_protection.txt ยท Last modified: 2021/06/29 09:08 by 127.0.0.1
Back to top
Contact us