Skip to main content

Preventing access to install.php and update.php

Today's security announcement highlights the perils of leaving install.php and update.php available on production sites. This article shows how to quickly deny access to install.php and update.php in an apache environment, with special mention of how to apply it to all of your sites if you're using Aegir.

by lee.rowlands /

Background

Today's security announcement highlights the potential consequences of leaving install.php and update.php on your production sites. Given it's best practise to use a deployment approach such as Capistrano, Aegir or some other combination of tools like git, jenkins, drush etc - access to install.php and update.php should not be needed on a production site.

Techniques

In your vhost file

You can easily block access to install.php and update.php with this one line entry in your apache vhost config

RedirectMatch 403     "/(install|update).php" 

Restart apache and you're away, requests to install.php or update.php will result in a 403

Aegir

As the vhost files in aegir are dynamically generated, you need to use some special sauce to achieve the same result

As detailed in the Aegir documentation you can create drush inc files to inject additional config into a site's vhost config

To do so create the following file at /var/aegir/.drush/install_php.drush.inc

function install_php_provision_apache_vhost_config($uri, $data) {
  return "RedirectMatch 403     \"/(install|update).php\"";
}

Then it's simply a matter of verifying each site through the Aegir interface, which in turn regenerates the vhost config with the new entry

Any new sites created will automatically get this entry

Summary

Denying access to install.php and update.php on a production server is good practise, and given how easy it is to achieve, should be part of your standard configuration

Posted by lee.rowlands
Senior Drupal Developer

Dated

Comments

Comment by Dave Hall

Dated

I use a variation of this for most of my sites, but I include cron.php in the blacklist. If you're using Aegir then cron is already executed via drush and it is easy to implement that for standalone sites too.

Comment by Balboa

Dated

I went to tons of links before this, what was I tihnikng?

Pagination