Jump to content

PW version displayed on the backend login screen


Recommended Posts

this one is trivial :-)

feature request : PW should not disclose its version number to unauthenticated users on the backend login screen.

ok, this is about security through mere obscurity, so nothing vital here, but experience tells that attackers really love to easily know the exact version of their target.

  • Like 4
Link to comment
Share on other sites

Yes, here it's more about general good practice.

Imagine that tomorrow a security flaw is discovered in current PW (2.7.2 and older). So, the day after tomorrow :-) , PW 2.7.3 is released, fixing the flaw. So everyone upgrades to 2.7.3. But if some site is not upgraded, then it is at risk. And, as PW discloses its version number, the attackers will be happy :-)

Link to comment
Share on other sites

It's basically that in both admin theme's default.php files:

--- /Users/Benni/Projekte/ProcessWire2/www/html/wire/modules/AdminTheme/AdminThemeReno/default.php
+++ /Users/Benni/Projekte/ProcessWire2/www/html/wire/modules/AdminTheme/AdminThemeReno/default.php (Unsaved)
@@ -129,7 +129,7 @@
 				<a class="action" href="<?php echo $config->urls->admin; ?>login/logout/"><i class="fa <?php echo $adminTheme->signout;?>"></i> <?php echo $helpers->_('Logout'); ?></a>
 		<?php endif; ?>
-		ProcessWire <?php echo $config->versionName . ' <!--v' . $config->systemVersion; ?>--> © <?php echo date("Y"); ?> 
+		ProcessWire <?php if($user->isLoggedIn())echo $config->versionName . ' <!--v' . $config->systemVersion . '-->'); ?> © <?php echo date("Y"); ?> 

  • Like 2
Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...