Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Version Number  (Read 5716 times)

0 Members and 1 Guest are viewing this topic.

danuvius

  • Contributor
  • Coppermine novice
  • ***
  • Offline Offline
  • Posts: 20
Version Number
« on: June 28, 2006, 04:35:35 pm »

I was wondering the following. Why is the version number of the coppermine version displayed (before the closing body tag) as a html comment in every page? I think this is a bad idea. It shoud never be visible to the public which version of coppermine is running. Because in this case a list of vurnable sites (with older exploitable coppermine versions) quite easy.

Code: [Select]
...

<!--Coppermine Photo Gallery 1.4.8 (stable)-->
</body>

...

A few years ago a phpBB worm wondered the internet. One of the reason it spreaded so fast was that it could easily target old phpBB version with the use of google. It wouldn't start an attack if it was sure it wouldn't succeed.

It is quite easy to generate a list of vernable coppermine galleries. In the first 10 results with this google search criteria I found two old versions by hand (a version 1.4.2 stable and a 1.3.0 devel). This can easily be automated. At the moment there is no known exploit which can upload files/excute remote files, but when it is there this line can be easily used to spread around the internet really fast!

So personally I don't think it is a good idea to leave the version number in the html code that is returned to the browser!
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Version Number
« Reply #1 on: June 28, 2006, 05:00:02 pm »

You can't search for html comments anyway. The version number is very useful for us to see when helping people who can't figure out what version they're using.

What phpbb used to do was have the actual version number on the page, not in the comments.
Logged

danuvius

  • Contributor
  • Coppermine novice
  • ***
  • Offline Offline
  • Posts: 20
Re: Version Number
« Reply #2 on: June 29, 2006, 11:22:46 am »

You can't search for html comments anyway. The version number is very useful for us to see when helping people who can't figure out what version they're using.
True that's a good feature, but can also be implemented in the admin section under a special part called support or something where also other informtation is displayed like server software and OS. But I personally think it's not a good place to put it in every page the server sends out to a client, but that's my opinion!
What phpbb used to do was have the actual version number on the page, not in the comments.
True, it was on the page but for google that makes a difference for other crawlers we don't know. The fact is that the version numer is always send to the browser, which in my opinion isn't neccesairy. And makes it quite easy to make a crawler that gathers the information it needs about the running version.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Version Number
« Reply #3 on: July 03, 2006, 07:00:12 pm »

The coppermine version is being displayed on coppermine's config page (and various other "admin-only" places). Yet there are a lot of newbie users who were not capable to figure out what version they used although people who know their way around should be able to do so, that's why we decided to output the coppermine version as an html comment for the sake of easier support. There are many open source apps that do the same thing as phpbb used to do: they display the version numbers visibly on the page. This means that they're vulnerable to similar attacks that led to the phpbb disaster. We're convinced that this is wrong. The current method of outputting the version number as html comment is a (good) compromise between the need of security and the needs of supporters to be able to see the version number. If you're comcerned about this, edit include/functions.inc.php, find
Code: [Select]
        $add_version_info = "<!--Coppermine Photo Gallery ".COPPERMINE_VERSION." (".COPPERMINE_VERSION_STATUS.")-->\n</body>";
        $template_footer = ereg_replace("</body[^>]*>",$add_version_info,$template_footer);
and edit/comment out as you see fit.
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 19 queries.