Admin.php

cbezuidenhout wrote on Thursday, January 12, 2012:

Should this file not be protected in some way ?

It seems like on a multiple site installation (which is what it is for) it gives alot of information that should not be readily available.

Perhaps a simple password check ?

tmccormi wrote on Thursday, January 12, 2012:

It should be, but it has to be done at the site install level, using .htaccess or similar.  In my opinion.
-Tony

bradymiller wrote on Thursday, January 12, 2012:

Hi,
I initially thought this also, but it really only provides a login link to all the sites if you disable the setup.php script. Here’s a listing of files to consider securing/removing:
http://www.open-emr.org/wiki/index.php/Securing_OpenEMR#OpenEMR
I actually removed the admin.php file from this list, because can’t really do much if the setup.php script is gone/disabled/secured.
-brady