bc1bb/OpenLongr
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages Wiki Activity Actions

setup.php publicly accessible without authentication #9

New issue
Open
opened 2026-05-14 21:15:31 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:15:31 +02:00
Copy link

Problem

setup.php has no access control. Any visitor can request it from a browser and trigger a table creation attempt against the database. The file is meant to be run once and then deleted, but there is no enforcement mechanism.

Location

setup.php, entire file

Risk

Exposing setup.php confirms to an attacker that the application is OpenLongr, reveals the database table name (LONGR) and schema (columns id, text, country), and confirms whether the application is freshly installed. This information reduces the reconnaissance effort needed for a targeted attack. If the file is never deleted (common in practice), it remains a persistent information disclosure endpoint.

Suggested fix direction

  • Document clearly (in README and the file itself) that setup.php must be deleted after first use.
  • Add an IP allowlist or a one-time setup token check before the file performs any action, so accidental exposure is not exploitable.
  • Consider replacing manual setup with a migration script run from the CLI.

Severity

minor

Found by

Automated audit by Claude Code

## Problem `setup.php` has no access control. Any visitor can request it from a browser and trigger a table creation attempt against the database. The file is meant to be run once and then deleted, but there is no enforcement mechanism. ## Location `setup.php`, entire file ## Risk Exposing `setup.php` confirms to an attacker that the application is OpenLongr, reveals the database table name (`LONGR`) and schema (columns `id`, `text`, `country`), and confirms whether the application is freshly installed. This information reduces the reconnaissance effort needed for a targeted attack. If the file is never deleted (common in practice), it remains a persistent information disclosure endpoint. ## Suggested fix direction - Document clearly (in README and the file itself) that `setup.php` must be deleted after first use. - Add an IP allowlist or a one-time setup token check before the file performs any action, so accidental exposure is not exploitable. - Consider replacing manual setup with a migration script run from the CLI. ## Severity minor ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLongr#9
No description provided.