Hide coppermine version in source code

[net]

Hi,

I'm paranoid about all those security holes. I'd like to hide my coppermine version in the source (Browser > View > Source) you can always see in the end of the page the following:

Code Select Expand

<!--Coppermine Photo Gallery 1.4.22 (stable)-->

It's a small step, but it would feel safer knowing the user don't know which version i run.

Any ideas?

[Joe Carver]

A small step is all it could ever be and really would not slow down the people that you should worry about.
Someone spraying your site with automated hacking attempts is going to look for your server's response first
rather than whatever version of whatever software you are running. And for those who are looking for "signs"
of vulnerability could look elsewhere, such as the structure or "code wording" of certain pages to find older versions.

Why not just show them (if they are looking) that you are indeed running the latest version? Obscuring a version
number will never make up for failing to upgrade. IMO 

[net]

Still dosn't change the fact that the human factor (me) does not rss feed on updates, so it might be a week or two, which gives attackers time. I already have a signature which gives the coppermine team credit for their work, it's really not nessessary for it to show publicly my version out to anyone.

Please help me.

[net]

found solution, sorry should have queried a better search the first attempt.

http://forum.coppermine-gallery.net/index.php/topic,55037.0.html

[Joe Carver]

You must be checking your own (mysterious + un-posted here) site on a regular basis, at least to see if your server is working. Why not simply click the link at the bottom of any page? Major upgrade announcements seem to always be right there at the top of the Coppermine page.

The developers are adamant about how their work rightly gets credit. Personally, I have no problem with that, given how powerful Coppermine is and how much work has gone into it. Protections given to intellectual property are serious business and should not be taken lightly too. (IMO)

I'm surprised the thread is still here.  
(agreeing 100% with Joachim Müller in that thread, you will only be able to "hide" for so long)

[net]

Yes, but i'm not about to get struck by any real hackers, usually they find exploits at milworm before i patch, which anyone could do with any common knowledge, not knowing which version i run does make it harder for the common "scriptkid" to figure out what to do, i just don't see a reason to show my version number in public, it serves no good purpose for me, it only serves a purpose for someone who would have something ill intended.

[Hein Traag]

Subscribe to the announcements thread on this forum or to new download notifications at sourceforge if you want to be notified of a new version being released.

[Joachim Müller]

The chance of zero-day exploits is minimal, although it can't be neglected of course: usually, there's a maintenance release available two or three days after the initial vulnerability reports, which usually leaves you enough time: milw0rm and most other similar sites do only provide proof-of-concept exploits that are not ready for consumption by script kids. Script kids need to rely on someone else doing the dirty job, which usually doesn't happen within a day or two. This being said, it's pretty safe to subscribe to our announcements and upgrade asap. Obscuring the version output will definitely not protect you from zero day exploits. The version output is not being stored in regular search results from major search engines like Google (they only exist as comments, so you can hardly search for them, as the spider doesn't add that to the database).