Meta tags reveal the version number
-
- Posts: 55
- Joined: Fri Jan 29, 2016 7:20 am
Meta tags reveal the version number
It is a bad idea to reveal the version number in the head section of a website. This way old versions is more vulnerable to attackers, who might go for security issues in old installations. <?php echo head();?> also reveal the installed plugins, unnecessary information too. I think it is a good idea to have these informations in a installation, but only to be visible for admins.
Re: Meta tags reveal the version number
I agree that this information makes it easier for attackers to exploit vulnerabilities. OTOH it is valuable for supporters (the info about installed plugins has been added for this reason) and for statistics (such as produced by w3techs, for instance), and of course users are strongly encouraged to update ASAP when vulnerabilities have been found and fixed.
What do you think of making this configurable (similar to PHP's setting expose_php)?
What do you think of making this configurable (similar to PHP's setting expose_php)?
Christoph M. Becker – Plugins for CMSimple_XH
Re: Meta tags reveal the version number
I had also contact to a user who wanted to hide this for extra security, so that no one knows what CMS is used.
I suggest to have a setting (e.g. hide_CMSdata_inHTML) in the upcoming extra config section (how was it called?), as most users won't bother.
I suggest to have a setting (e.g. hide_CMSdata_inHTML) in the upcoming extra config section (how was it called?), as most users won't bother.
-
- Posts: 55
- Joined: Fri Jan 29, 2016 7:20 am
Re: Meta tags reveal the version number
No doubt that a setting like hide_CMSdata_inHTML would be better than nothing, while display_CMSdata_inHTML would be even better. I mean that it of cause should not be shown as default. I do believe though, that it is a good idea to have the data shown somewhere as long as it is not public, for support reasons, or just to be sure which system to update . I know that other popular systems such as e.g. Moodle or WordPress, stopped revealing these sensitive data long ago. If users in general don't bother, it is just an argument for enlightening them on security issues, not for taking security less seriously. I do not know much about PHP, so I can not comment on the PHP setting expose_php.
Re: Meta tags reveal the version number
Hello,
I think it's a good idea.
My solution to date:
/cmsimple/tplfuncs.php, the lines 74-102 (function head()) replace with:
Then you can it only be seen when the debug mode is enabled.
greeting Olaf
I think it's a good idea.
My solution to date:
/cmsimple/tplfuncs.php, the lines 74-102 (function head()) replace with:
Code: Select all
function head()
{
global $title, $cf, $pth, $tx, $hjs;
$t = XH_title($cf['site']['title'], $title);
$t = '<title>' . strip_tags($t) . '</title>' . "\n";
foreach (array_merge($cf['meta'], $tx['meta']) as $i => $k) {
$t .= meta($i);
}
$t = tag('meta http-equiv="content-type" content="text/html;charset=UTF-8"')
. "\n" . $t;
$plugins = implode(', ', XH_plugins());
if (error_reporting() > 0) {
return $t
. tag(
'meta name="generator" content="' . CMSIMPLE_XH_VERSION . ' '
. CMSIMPLE_XH_BUILD . ' - www.cmsimple-xh.org"'
) . "\n"
. '<!-- plugins: ' . $plugins . ' -->' . "\n"
. XH_renderPrevLink() . XH_renderNextLink() . "\n"
. tag(
'link rel="stylesheet" href="' . $pth['file']['corestyle']
. '" type="text/css"'
) . "\n"
. tag(
'link rel="stylesheet" href="' . $pth['file']['stylesheet']
. '" type="text/css"'
) . "\n"
. $hjs;
} else {
return $t
. XH_renderPrevLink() . XH_renderNextLink() . "\n"
. tag(
'link rel="stylesheet" href="' . $pth['file']['corestyle']
. '" type="text/css"'
) . "\n"
. tag(
'link rel="stylesheet" href="' . $pth['file']['stylesheet']
. '" type="text/css"'
) . "\n"
. $hjs;
}
}
greeting Olaf
Gruß Olaf, Plugins for CMSimple_XH
Ich habe schon lange den Verdacht, dass so viele so eifrig auf Gender, Trans und Queer machen:
Weil sie für das Fachliche ganz einfach zu doof sind.
Ich habe schon lange den Verdacht, dass so viele so eifrig auf Gender, Trans und Queer machen:
Weil sie für das Fachliche ganz einfach zu doof sind.
Re: Meta tags reveal the version number
This setting is Off by default, and it's recommended to leave it this way on publicly available servers, so you have a point.lillebitte wrote:I do not know much about PHP, so I can not comment on the PHP setting expose_php.
Interesting solution, which would spare us another config option.olape wrote:Then you can it only be seen when the debug mode is enabled.
Christoph M. Becker – Plugins for CMSimple_XH
Re: Meta tags reveal the version number
I put it on the roadmap.
Re: Meta tags reveal the version number
Thanks!svasti wrote:I put it on the roadmap.
Christoph M. Becker – Plugins for CMSimple_XH
-
- Posts: 55
- Joined: Fri Jan 29, 2016 7:20 am
Re: Meta tags reveal the version number
Thank you for the CMSimple_SH update.
But what happened to the idea about not revealing version in the meta tags?
But what happened to the idea about not revealing version in the meta tags?
Re: Meta tags reveal the version number
Thanks for the reminder! This idea was on the XH 1.7 roadmap; I've moved it to the 1.6.10 roadmap now.lillebitte wrote:But what happened to the idea about not revealing version in the meta tags?
Christoph M. Becker – Plugins for CMSimple_XH