Jump to content

PW version displayed on the backend login screen

er314

By er314
in Security

 Share

Recommended Posts

er314 Full Member

er314

Posted
Posted
this one is trivial :-)

feature request : PW should not disclose its version number to unauthenticated users on the backend login screen.

ok, this is about security through mere obscurity, so nothing vital here, but experience tells that attackers really love to easily know the exact version of their target.

  • Like 4
teppo Hero Member

teppo

Posted
Posted

If there were (known) vulnerabilities, this would be more important, but +1 from me for changing this behaviour anyway. In my opinion there's absolutely no need to disclose the specific version number :)

er314 Full Member

er314

Posted
  • Author
Posted

Yes, here it's more about general good practice.

Imagine that tomorrow a security flaw is discovered in current PW (2.7.2 and older). So, the day after tomorrow :-) , PW 2.7.3 is released, fixing the flaw. So everyone upgrades to 2.7.3. But if some site is not upgraded, then it is at risk. And, as PW discloses its version number, the attackers will be happy :-)

LostKobrakai Hero Member

LostKobrakai

Posted
Posted

It's basically that in both admin theme's default.php files:

--- /Users/Benni/Projekte/ProcessWire2/www/html/wire/modules/AdminTheme/AdminThemeReno/default.php
+++ /Users/Benni/Projekte/ProcessWire2/www/html/wire/modules/AdminTheme/AdminThemeReno/default.php (Unsaved)
@@ -129,7 +129,7 @@
 				<a class="action" href="<?php echo $config->urls->admin; ?>login/logout/"><i class="fa <?php echo $adminTheme->signout;?>"></i> <?php echo $helpers->_('Logout'); ?></a>
 			</span>
 		<?php endif; ?>
-		ProcessWire <?php echo $config->versionName . ' <!--v' . $config->systemVersion; ?>--> © <?php echo date("Y"); ?> 
+		ProcessWire <?php if($user->isLoggedIn())echo $config->versionName . ' <!--v' . $config->systemVersion . '-->'); ?> © <?php echo date("Y"); ?> 
 	</p>

 	<?php
  • Like 2
ryan Hero Member

ryan

Posted
Posted

Makes sense to me, I'll move that <?php endif; ?> down one line, so that the name/version only appears when logged in. 

  • Like 4
  • 1 month later...
Yannick Albert Full Member

Yannick Albert

Posted
Posted

Makes sense to me, I'll move that <?php endif; ?> down one line, so that the name/version only appears when logged in. 

Once an update was made, the version number gets visible again due the notification message ;)

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...