Meta tags reveal the version number

A place to report and discuss bugs - please mention CMSimple-version, server, platform and browser version
lillebitte
Posts: 55
Joined: Fri Jan 29, 2016 7:20 am

Meta tags reveal the version number

Post by lillebitte » Fri Jan 29, 2016 3:27 pm

It is a bad idea to reveal the version number in the head section of a website. This way old versions is more vulnerable to attackers, who might go for security issues in old installations. <?php echo head();?> also reveal the installed plugins, unnecessary information too. I think it is a good idea to have these informations in a installation, but only to be visible for admins.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Meta tags reveal the version number

Post by cmb » Fri Jan 29, 2016 7:59 pm

I agree that this information makes it easier for attackers to exploit vulnerabilities. OTOH it is valuable for supporters (the info about installed plugins has been added for this reason) and for statistics (such as produced by w3techs, for instance), and of course users are strongly encouraged to update ASAP when vulnerabilities have been found and fixed.

What do you think of making this configurable (similar to PHP's setting expose_php)?
Christoph M. Becker – Plugins for CMSimple_XH

svasti
Posts: 1651
Joined: Wed Dec 17, 2008 5:08 pm

Re: Meta tags reveal the version number

Post by svasti » Fri Jan 29, 2016 8:21 pm

I had also contact to a user who wanted to hide this for extra security, so that no one knows what CMS is used.
I suggest to have a setting (e.g. hide_CMSdata_inHTML) in the upcoming extra config section (how was it called?), as most users won't bother.

lillebitte
Posts: 55
Joined: Fri Jan 29, 2016 7:20 am

Re: Meta tags reveal the version number

Post by lillebitte » Fri Jan 29, 2016 8:58 pm

No doubt that a setting like hide_CMSdata_inHTML would be better than nothing, while display_CMSdata_inHTML would be even better. I mean that it of cause should not be shown as default. I do believe though, that it is a good idea to have the data shown somewhere as long as it is not public, for support reasons, or just to be sure which system to update :-). I know that other popular systems such as e.g. Moodle or WordPress, stopped revealing these sensitive data long ago. If users in general don't bother, it is just an argument for enlightening them on security issues, not for taking security less seriously. I do not know much about PHP, so I can not comment on the PHP setting expose_php.

olape
Posts: 2713
Joined: Fri Mar 13, 2015 8:47 am
Contact:

Re: Meta tags reveal the version number

Post by olape » Tue Feb 09, 2016 9:20 am

Hello,

I think it's a good idea.
My solution to date:

/cmsimple/tplfuncs.php, the lines 74-102 (function head()) replace with:

Code: Select all

function head()
{
	global $title, $cf, $pth, $tx, $hjs;

	$t = XH_title($cf['site']['title'], $title);
	$t = '<title>' . strip_tags($t) . '</title>' . "\n";
	foreach (array_merge($cf['meta'], $tx['meta']) as $i => $k) {
		$t .= meta($i);
	}
	$t = tag('meta http-equiv="content-type" content="text/html;charset=UTF-8"')
		. "\n" . $t;
	$plugins = implode(', ', XH_plugins());
	if (error_reporting() > 0) {
		return $t
		. tag(
			'meta name="generator" content="' . CMSIMPLE_XH_VERSION . ' '
			. CMSIMPLE_XH_BUILD . ' - www.cmsimple-xh.org"'
		) . "\n"
		. '<!-- plugins: ' . $plugins . ' -->' . "\n"
		. XH_renderPrevLink() . XH_renderNextLink() . "\n"
		. tag(
			'link rel="stylesheet" href="' . $pth['file']['corestyle']
			. '" type="text/css"'
		) . "\n"
		. tag(
			'link rel="stylesheet" href="' . $pth['file']['stylesheet']
			. '" type="text/css"'
		) . "\n"
		. $hjs;
	} else {
		return $t
		. XH_renderPrevLink() . XH_renderNextLink() . "\n"
		. tag(
			'link rel="stylesheet" href="' . $pth['file']['corestyle']
			. '" type="text/css"'
		) . "\n"
		. tag(
			'link rel="stylesheet" href="' . $pth['file']['stylesheet']
			. '" type="text/css"'
		) . "\n"
		. $hjs;
	}
}
Then you can it only be seen when the debug mode is enabled.

greeting Olaf
Gruß Olaf, Plugins for CMSimple_XH

Ich habe schon lange den Verdacht, dass so viele so eifrig auf Gender, Trans und Queer machen:
Weil sie für das Fachliche ganz einfach zu doof sind.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Meta tags reveal the version number

Post by cmb » Tue Feb 09, 2016 1:31 pm

lillebitte wrote:I do not know much about PHP, so I can not comment on the PHP setting expose_php.
This setting is Off by default, and it's recommended to leave it this way on publicly available servers, so you have a point.
olape wrote:Then you can it only be seen when the debug mode is enabled.
Interesting solution, which would spare us another config option.
Christoph M. Becker – Plugins for CMSimple_XH

svasti
Posts: 1651
Joined: Wed Dec 17, 2008 5:08 pm

Re: Meta tags reveal the version number

Post by svasti » Sat Feb 13, 2016 8:16 pm

I put it on the roadmap.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Meta tags reveal the version number

Post by cmb » Sun Feb 14, 2016 2:34 pm

svasti wrote:I put it on the roadmap.
Thanks!
Christoph M. Becker – Plugins for CMSimple_XH

lillebitte
Posts: 55
Joined: Fri Jan 29, 2016 7:20 am

Re: Meta tags reveal the version number

Post by lillebitte » Sun Dec 18, 2016 11:35 am

Thank you for the CMSimple_SH update.
But what happened to the idea about not revealing version in the meta tags?

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Meta tags reveal the version number

Post by cmb » Sun Dec 18, 2016 12:27 pm

lillebitte wrote:But what happened to the idea about not revealing version in the meta tags?
Thanks for the reminder! This idea was on the XH 1.7 roadmap; I've moved it to the 1.6.10 roadmap now.
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply