roundcubemail complains about accessible installer script where there is none

Discussion in 'Plugins/Modules/Addons' started by DrMartinus, Oct 19, 2019.

  1. DrMartinus

    DrMartinus Member HowtoForge Supporter

    Hi,
    when I open roundcubemail (login screen), I find the following message:
    Code:
    Installer script is still accessible
    The install script of your Roundcube installation is still stored in its default location!
    
    Please remove the whole installer folder from the Roundcube directory because . these files may expose sensitive configuration data like server passwords and encryption keys to the public. Make sure you cannot access the installer script from your browser.
    
    When I click on the link provided I get a 403 error. The link leads to a folder that doesn't exist. How can I get rid of that message? It's version 1.1.12
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I believe it is this code that checks if the file is there:
    Code:
    // check if installer is still active
        if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
    Show output of ls command to verify what is in that installer directory.
     
  3. DrMartinus

    DrMartinus Member HowtoForge Supporter

    That's easy, there is no ./installer directory, because I removed it. The only thing that I could imagine is that I have missed the location of the roundcube installation. I found it in /var/www/html/roundcubemail. If it has been installed elsewhere, I would need to know where.
     
  4. DrMartinus

    DrMartinus Member HowtoForge Supporter

    I found it in /usr/share/roundcubemail. It seems the script checked there. After removing the installer directory from there, the message doesn't popup any more. However: for what purpose is the installation in /var/www?
     

Share This Page