CMSimple_XH–Forum

Welcome to the CMSimple_XH–Community!
https://cmsimpleforum.com/

Meta tags reveal the version number

https://cmsimpleforum.com/viewtopic.php?f=10&t=9889

Page 1 of 2

Meta tags reveal the version number

Posted: Fri Jan 29, 2016 3:27 pm
by lillebitte
It is a bad idea to reveal the version number in the head section of a website. This way old versions is more vulnerable to attackers, who might go for security issues in old installations. <?php echo head();?> also reveal the installed plugins, unnecessary information too. I think it is a good idea to have these informations in a installation, but only to be visible for admins.

Re: Meta tags reveal the version number

Posted: Fri Jan 29, 2016 7:59 pm
by cmb
I agree that this information makes it easier for attackers to exploit vulnerabilities. OTOH it is valuable for supporters (the info about installed plugins has been added for this reason) and for statistics (such as produced by w3techs, for instance), and of course users are strongly encouraged to update ASAP when vulnerabilities have been found and fixed.

What do you think of making this configurable (similar to PHP's setting expose_php)?

Re: Meta tags reveal the version number

Posted: Fri Jan 29, 2016 8:21 pm
by svasti
I had also contact to a user who wanted to hide this for extra security, so that no one knows what CMS is used.
I suggest to have a setting (e.g. hide_CMSdata_inHTML) in the upcoming extra config section (how was it called?), as most users won't bother.

Re: Meta tags reveal the version number

Posted: Fri Jan 29, 2016 8:58 pm
by lillebitte
No doubt that a setting like hide_CMSdata_inHTML would be better than nothing, while display_CMSdata_inHTML would be even better. I mean that it of cause should not be shown as default. I do believe though, that it is a good idea to have the data shown somewhere as long as it is not public, for support reasons, or just to be sure which system to update :-). I know that other popular systems such as e.g. Moodle or WordPress, stopped revealing these sensitive data long ago. If users in general don't bother, it is just an argument for enlightening them on security issues, not for taking security less seriously. I do not know much about PHP, so I can not comment on the PHP setting expose_php.

Re: Meta tags reveal the version number

Posted: Tue Feb 09, 2016 9:20 am
by olape
Hello,

I think it's a good idea.
My solution to date:

/cmsimple/tplfuncs.php, the lines 74-102 (function head()) replace with:

Code: Select all

function head()
{
	global $title, $cf, $pth, $tx, $hjs;

	$t = XH_title($cf['site']['title'], $title);
	$t = '<title>' . strip_tags($t) . '</title>' . "\n";
	foreach (array_merge($cf['meta'], $tx['meta']) as $i => $k) {
		$t .= meta($i);
	}
	$t = tag('meta http-equiv="content-type" content="text/html;charset=UTF-8"')
		. "\n" . $t;
	$plugins = implode(', ', XH_plugins());
	if (error_reporting() > 0) {
		return $t
		. tag(
			'meta name="generator" content="' . CMSIMPLE_XH_VERSION . ' '
			. CMSIMPLE_XH_BUILD . ' - www.cmsimple-xh.org"'
		) . "\n"
		. '<!-- plugins: ' . $plugins . ' -->' . "\n"
		. XH_renderPrevLink() . XH_renderNextLink() . "\n"
		. tag(
			'link rel="stylesheet" href="' . $pth['file']['corestyle']
			. '" type="text/css"'
		) . "\n"
		. tag(
			'link rel="stylesheet" href="' . $pth['file']['stylesheet']
			. '" type="text/css"'
		) . "\n"
		. $hjs;
	} else {
		return $t
		. XH_renderPrevLink() . XH_renderNextLink() . "\n"
		. tag(
			'link rel="stylesheet" href="' . $pth['file']['corestyle']
			. '" type="text/css"'
		) . "\n"
		. tag(
			'link rel="stylesheet" href="' . $pth['file']['stylesheet']
			. '" type="text/css"'
		) . "\n"
		. $hjs;
	}
}
Then you can it only be seen when the debug mode is enabled.

greeting Olaf

Re: Meta tags reveal the version number

Posted: Tue Feb 09, 2016 1:31 pm
by cmb
lillebitte wrote:I do not know much about PHP, so I can not comment on the PHP setting expose_php.
This setting is Off by default, and it's recommended to leave it this way on publicly available servers, so you have a point.
olape wrote:Then you can it only be seen when the debug mode is enabled.
Interesting solution, which would spare us another config option.

Re: Meta tags reveal the version number

Posted: Sat Feb 13, 2016 8:16 pm
by svasti
I put it on the roadmap.

Re: Meta tags reveal the version number

Posted: Sun Feb 14, 2016 2:34 pm
by cmb
svasti wrote:I put it on the roadmap.
Thanks!

Re: Meta tags reveal the version number

Posted: Sun Dec 18, 2016 11:35 am
by lillebitte
Thank you for the CMSimple_SH update.
But what happened to the idea about not revealing version in the meta tags?

Re: Meta tags reveal the version number

Posted: Sun Dec 18, 2016 12:27 pm
by cmb
lillebitte wrote:But what happened to the idea about not revealing version in the meta tags?
Thanks for the reminder! This idea was on the XH 1.7 roadmap; I've moved it to the 1.6.10 roadmap now.
All times are UTC
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/