login page shouldn't show streber version info, nor on guest accounts/

Summary

Statusclosed

OpenedSep 19, 2006

Completed100%

CreatedSep 20, 2006 / madlyr

ModifiedMay 4, 2008 / cody-somerville

View previous 10 versions

Assigned tocody-somerville

No files uploaded

As a security paranoja rule I think, that login page shouldn't show streber version info, nor on guest accounts aat any of the page.

It should be easily configurable not to show at all, that this login page belongs to open source project named streber. If hacker does not know what a software is behind login page, he/she has much less options to hack our pm software.

What do you think?

also see:


binder Sep 20, 2006	good idea I have enough problems getting some of our Invision-Boards up to date and deleting hackers, that search for invision power boards version number, which is mandatory for the installation. Making it configurable, which content is shown in login-page could increase security.
tino Sep 20, 2006	New Comment On the one hand I agree with you Radek and Thomas. But on the other hand visitors and guests want to know, which version is running at the moment on streber.pixtur.de! Overall it would probably increase the security - that's right.
madlyr Sep 20, 2006 version 2	maybe showing version could be configurable? :-) eot :)
binder Sep 20, 2006	jepp, it should be configurable! I would deploy two versions of login-page: high security: no information at all, what is behind the login, just login/password normal security: as is at present
pixtur Sep 25, 2006	Confirmed... I really like this discussion, as it shows that I am not the only person interessted in security hardining. I would suggest the following procedure: never show version on.. anonymous pages (includes login, loginSubmit, error) or if `!isset($auth->cur_user->id)` add option `SHOW_VERSION` with default true Of course the "guest/guest"-login hint at streber.pixtur.de is additional. I want to leave it because streber is driven by a comunity which is open for everybody. In the long term I even want to go a step further and allow anonymouse browsing public content. I really would like to let streber be tested by some security hackers and script kiddies. Maybe there is some site at the internet that announces such competitions... tom
binder Sep 25, 2006	Reply to Confirmed... I really would like to let streber be tested by some security hackers and script kiddies. Maybe there is some site at the internet that announces such competitions... Don't know, if it's time yet to do some open auditions? But if you want, I can set our security specialist on it! ;) But that brings us on the other discussion: Security .htaccess and php.ini protection rules; the software can be secure in itself, but some exploits on server software can be used to crack the system and take over the MySQL-tables. So in my opinion, the admin is always responsible for software he/she installs and should take care of the software as it runs.-
madlyr Sep 26, 2006	Admin couldn't be responsible for unknown software security leaks :-) .. but he should hardened it in the system, webserver, database sphere, he should read particular installation and security tips and use it. If unknown error in software exists, then he/she couldn't be responsible for any damage :-)...
cody-somerville May 2, 2008	View comment Target set for v0.0803.
cody-somerville May 4, 2008	View comment It appears this feature is already implemented.

Comment / Update

Comment

Details
(Wiki format)

Please copy the text

login page shouldn't show streber version info, nor on guest accounts / #2117

Summary

Attached files

Attached files

9 Comments

9 Comments

Comment / Update