ezinfo/about and other standard pages

Author Message

Maarten Holland

Thursday 22 July 2004 1:20:32 am

Hi all,

I've noticed that there is a page ezinfo/about. Am I allowed to disable this page or is this a sort of copyright that must be enabled?

I also like to know if there are more of this sort of pages so I'm not publicing information without my knowledge.

Thank you,

Maarten

Ole Morten Halvorsen

Tuesday 27 July 2004 6:11:22 am

Hi Maarten,

Yes you are free to disable the ezinfo/about page if you want.
If I am not mistaken you can remove this by commenting out PolicyOmitList[]=ezinfo in your site.ini file. Users wanting to view the ezinfo/about will now require permission which they don`t have by default.

Look through the kernel/ directory for different modules/views which you might not need and can disable.

Ole M.

Senior Software Engineer - Vision with Technology

http://www.visionwt.com
http://www.omh.cc
http://www.twitter.com/omh

eZ Certified Developer
http://ez.no/certification/verify/358441
http://ez.no/certification/verify/272578

Maarten Holland

Tuesday 27 July 2004 7:32:42 am

Thank you Ole,

It's not that I don't want to give eZ systems the credits you deserve, but this is for a corporate page and my CEO probably doesn't want it :-(

I've disabled it using a virtual URL that maps to my root page. I'll go and check the kernel/ directory for other views.

Cheers,

Maarten

Alexandre Cunha

Sunday 26 September 2004 11:56:40 am

well, creating a virtual url to overide ezinfo/<anything> doest work on ezp 3.4.2
PolicyOmitList[]=ezinfo doest work too.
Any ideas without the need to dig in the php code ?

http://AlexandreCunha.com

Luc Chase

Sunday 17 April 2011 12:17:34 pm

Blocking or disabling ezinfo can be done in a couple of ways. On Apache you could add some .htaccess or RewiteRules and/or within eZ you could add some policy omit rules. But why? It's not going to make a site any more secure.
Is this a way of ( not ) solving a problem that doesn't exist?
What risks does this step resolve? I doubt that not announcing your version number and installed extensions is a way to secure a system. If the site is vulnerable to attack I don't think it would be because the ezinfo/about is working.
Security through obscurity is not best practice... it's not even second-best. Your system needs to be made secure; even when everyone knows how it works. One reason why widely used opensource software tends towards being very secure.

The Web Application Service Provider

Heath

Sunday 17 April 2011 3:37:12 pm

Hello Martin,

You can add the following code to your site.ini override (settings/override/site.ini.append.php)

This code should disable the module view across all siteaccesses.

[SiteAccessRules]
Rules[]
Rules[]=access;enable
Rules[]=moduleall
Rules[]=access;disable
Rules[]=module;ezinfo/about
Rules[]=module;content/tipafriend

I hope this helps others. Normally I recommend against disabling this view.

Cheers,

Heath

Brookins Consulting | http://brookinsconsulting.com/
Certified | http://auth.ez.no/certification/verify/380350
Solutions | http://projects.ez.no/users/community/brookins_consulting
eZpedia community documentation project | http://ezpedia.org

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.