Version Number Version Number
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Version Number

Started by danuvius, June 28, 2006, 04:35:35 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

danuvius

I was wondering the following. Why is the version number of the coppermine version displayed (before the closing body tag) as a html comment in every page? I think this is a bad idea. It shoud never be visible to the public which version of coppermine is running. Because in this case a list of vurnable sites (with older exploitable coppermine versions) quite easy.


...

<!--Coppermine Photo Gallery 1.4.8 (stable)-->
</body>

...


A few years ago a phpBB worm wondered the internet. One of the reason it spreaded so fast was that it could easily target old phpBB version with the use of google. It wouldn't start an attack if it was sure it wouldn't succeed.

It is quite easy to generate a list of vernable coppermine galleries. In the first 10 results with this google search criteria I found two old versions by hand (a version 1.4.2 stable and a 1.3.0 devel). This can easily be automated. At the moment there is no known exploit which can upload files/excute remote files, but when it is there this line can be easily used to spread around the internet really fast!

So personally I don't think it is a good idea to leave the version number in the html code that is returned to the browser!

Tranz

You can't search for html comments anyway. The version number is very useful for us to see when helping people who can't figure out what version they're using.

What phpbb used to do was have the actual version number on the page, not in the comments.

danuvius

Quote from: TranzNDance on June 28, 2006, 05:00:02 PM
You can't search for html comments anyway. The version number is very useful for us to see when helping people who can't figure out what version they're using.
True that's a good feature, but can also be implemented in the admin section under a special part called support or something where also other informtation is displayed like server software and OS. But I personally think it's not a good place to put it in every page the server sends out to a client, but that's my opinion!
Quote from: TranzNDance on June 28, 2006, 05:00:02 PM
What phpbb used to do was have the actual version number on the page, not in the comments.
True, it was on the page but for google that makes a difference for other crawlers we don't know. The fact is that the version numer is always send to the browser, which in my opinion isn't neccesairy. And makes it quite easy to make a crawler that gathers the information it needs about the running version.

Joachim Müller

The coppermine version is being displayed on coppermine's config page (and various other "admin-only" places). Yet there are a lot of newbie users who were not capable to figure out what version they used although people who know their way around should be able to do so, that's why we decided to output the coppermine version as an html comment for the sake of easier support. There are many open source apps that do the same thing as phpbb used to do: they display the version numbers visibly on the page. This means that they're vulnerable to similar attacks that led to the phpbb disaster. We're convinced that this is wrong. The current method of outputting the version number as html comment is a (good) compromise between the need of security and the needs of supporters to be able to see the version number. If you're comcerned about this, edit include/functions.inc.php, find        $add_version_info = "<!--Coppermine Photo Gallery ".COPPERMINE_VERSION." (".COPPERMINE_VERSION_STATUS.")-->\n</body>";
        $template_footer = ereg_replace("</body[^>]*>",$add_version_info,$template_footer);
and edit/comment out as you see fit.