Visible version number in source code
Permalink
I am not sure how big of an issue this really is but what do you think about the fact that Concrete5 shows the current version number running in the source code?
For example:
Could this produce a security risk in the future if there would be a security hole for example in 5.6.0.2 version of concrete5.
This could lead hackers into finding sites with the particular version number.
I think at least phpBB had this problem in some versions and because of this phpBB removed the version number information from being publicly visible.
For example:
<meta name="generator" content="concrete5 - 5.6.0.2" />
Could this produce a security risk in the future if there would be a security hole for example in 5.6.0.2 version of concrete5.
This could lead hackers into finding sites with the particular version number.
I think at least phpBB had this problem in some versions and because of this phpBB removed the version number information from being publicly visible.
Indeed.
The reason I was thinking about this is that usually people are lazy in upgrading their sites.
Personally we have had clients who we have tried to ask for upgrading times and times again. But some people just don't see it as important as the developers of the site do.
Making the version number visible to the outside world could make the vulnerable version as a more easy case for hackers to find versions with security holes.
And personally I don't see the advantages of showing the version number to the outside world.
No reason to make life easier for the bad guys. ;)
The reason I was thinking about this is that usually people are lazy in upgrading their sites.
Personally we have had clients who we have tried to ask for upgrading times and times again. But some people just don't see it as important as the developers of the site do.
Making the version number visible to the outside world could make the vulnerable version as a more easy case for hackers to find versions with security holes.
And personally I don't see the advantages of showing the version number to the outside world.
No reason to make life easier for the bad guys. ;)
It might also help you to convince your customers to upgrade to a newer version ;-)
I also think the version number should be hidden. Most of us should know that you can't just update most C5 websites without spending a fair amount of time navigating around problems that occur.
It's quite like likely for example that you have to rework many of the overridden core-files.
It's quite like likely for example that you have to rework many of the overridden core-files.
Looks good to me. :)
Default setting would still be the same, no risk that it would break anything and those people who's want to hide the version number should be aware that they've changed something.
I like it. Definitely better than having to override header_required.php each time.
But we should keep in mind that concrete5.org uses this meta tag in the galleries to check if a sumbitted site is actually made with c5. So you might have to enable version output then submit and disable version numbers afterwards.
But we should keep in mind that concrete5.org uses this meta tag in the galleries to check if a sumbitted site is actually made with c5. So you might have to enable version output then submit and disable version numbers afterwards.
There's still content="concrete5" in the tag. Just the version number is hidden.
Shouldn't this be enough for checking if site is made with concrete5?
Of course I am not sure if concrete5.org also checks for the version number but this could probably be changed if the version number option is added to the core.
Shouldn't this be enough for checking if site is made with concrete5?
Of course I am not sure if concrete5.org also checks for the version number but this could probably be changed if the version number option is added to the core.
Great idea !
But keep in mind: If there's a big security issue, it probably wouldn't matter much if there's a version number or not. An attacker could easily identify concrete5 pages and just attack all of them without checking the version. It would take a bit more time, but the result would be more or less the same.
At the end I'd basically just say that you have to upgrade your sites whenever there's a security issue. Hiding behind a false security because there's no version information seems to be a bit risky.