er314 Posted December 20, 2015 Posted December 20, 2015 this one is trivial feature request : PW should not disclose its version number to unauthenticated users on the backend login screen. ok, this is about security through mere obscurity, so nothing vital here, but experience tells that attackers really love to easily know the exact version of their target. 4
teppo Posted December 20, 2015 Posted December 20, 2015 If there were (known) vulnerabilities, this would be more important, but +1 from me for changing this behaviour anyway. In my opinion there's absolutely no need to disclose the specific version number
er314 Posted December 20, 2015 Author Posted December 20, 2015 Yes, here it's more about general good practice. Imagine that tomorrow a security flaw is discovered in current PW (2.7.2 and older). So, the day after tomorrow , PW 2.7.3 is released, fixing the flaw. So everyone upgrades to 2.7.3. But if some site is not upgraded, then it is at risk. And, as PW discloses its version number, the attackers will be happy
LostKobrakai Posted December 20, 2015 Posted December 20, 2015 It's basically that in both admin theme's default.php files: --- /Users/Benni/Projekte/ProcessWire2/www/html/wire/modules/AdminTheme/AdminThemeReno/default.php +++ /Users/Benni/Projekte/ProcessWire2/www/html/wire/modules/AdminTheme/AdminThemeReno/default.php (Unsaved) @@ -129,7 +129,7 @@ <a class="action" href="<?php echo $config->urls->admin; ?>login/logout/"><i class="fa <?php echo $adminTheme->signout;?>"></i> <?php echo $helpers->_('Logout'); ?></a> </span> <?php endif; ?> - ProcessWire <?php echo $config->versionName . ' <!--v' . $config->systemVersion; ?>--> © <?php echo date("Y"); ?> + ProcessWire <?php if($user->isLoggedIn())echo $config->versionName . ' <!--v' . $config->systemVersion . '-->'); ?> © <?php echo date("Y"); ?> </p> <?php 2
ryan Posted December 21, 2015 Posted December 21, 2015 Makes sense to me, I'll move that <?php endif; ?> down one line, so that the name/version only appears when logged in. 4
Yannick Albert Posted February 2, 2016 Posted February 2, 2016 Makes sense to me, I'll move that <?php endif; ?> down one line, so that the name/version only appears when logged in. Once an update was made, the version number gets visible again due the notification message 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now