:: Version 3.2.0 ::

Protect iTop setup

Why

The setup wizard used during first install could be disabled to reduce attack surface. Two files are particularly concerned :

  • setup/index.php : of course
  • setup/phpinfo.php : gives lots of informations about the system (note that risk is mitigated by adding authentication since iTop 2.5.2, 2.6.1 and 2.7.0)

How

You shouldn't remove the whole setup/ directory as it contains files that are necessary for iTop.

Instead you could block web access using a file appropriate to the web server you're using. Such files are already present in the data/ directory, for example :

* Apache httpd : https://github.com/Combodo/iTop/blob/develop/data/.htaccess

* Microsoft IIS : https://github.com/Combodo/iTop/blob/develop/data/web.config

iTop update

To ease iTop update, you might want to automate the procedure. See Automated installation.

3_2_0/install/itop_setup_protection.txt ยท Last modified: 2024/09/10 10:25 by 127.0.0.1
Back to top

Table of Contents

Contact us
Contact us