Are you guys aware that a major security flaw exists with the merge system? It should not be open to the public as it is.
If I leave an open merge directory then anyone can upload a shelled database and get access to my site. It should be fixed.
(2014-03-25, 01:45 PM)Charisma Wrote: [ -> ]Are you guys aware that a major security flaw exists with the merge system? It should not be open to the public as it is.
If I leave an open merge directory then anyone can upload a shelled database and get access to my site. It should be fixed.
Or you could be a responsible web admin and remove the merge directory once you have completed the merge?
there is no upload functionality in the Merge System, so if you are getting a bad database installed then it is another problem with your server. The Merge System only migrates existing data between databases and folders.
And you should remove the Merge folder when you are done with your work, or even use htaccess to control the IPs that have access to that folder while you are using it.
(2014-03-25, 01:45 PM)Charisma Wrote: [ -> ]Are you guys aware that a major security flaw exists with the merge system? It should not be open to the public as it is.
If I leave an open merge directory then anyone can upload a shelled database and get access to my site. It should be fixed.
You should probably report "major" security flaws privately to the team.
With that said, it's not a big deal since the merge system is not meant to be kept live. I think the directions even say to delete the files. And as already stated there is no "upload" functionality in the script as it uses databases that are already on the db server.
It's the same thing as leaving any other installation directory open. If the web master isn't intelligent enough to remove the directory after use, there are other vulnerabilities as well.