Remove C5 Head Content - Php
Permalink
BACKGROUND:
When you visit a site running C5 you will typically see the following lines of code in the head tags:
This was taken off the source code of a random site from the showcase. You can check it out here: http://www.saucedjs.com/
C5 automatically generates this when you put:
In place of the title tags.
QUESTION:
1. For security reasons, how can you hide this code from regular (non editing) visitors?
- Its not necessary for typical visitors and it gives away the CMS name for exploitation.
POSSIBLE IDEAS
Use an if statement to check if the user is logged in?
- If not logged in send a separate .php replacement with just the <title>page</title>
- If logged in - send the editing header file
Any solutions are greatly appreciated!
When you visit a site running C5 you will typically see the following lines of code in the head tags:
<script type="text/javascript"> var CCM_DISPATCHER_FILENAME = '/index.php'; var CCM_CID = 1; var CCM_EDIT_MODE = false; var CCM_ARRANGE_MODE = false; var CCM_IMAGE_PATH = "/updates/concrete5.4.1.1/concrete/images"; var CCM_TOOLS_PATH = "/index.php/tools/required"; var CCM_REL = ""; </script> <link rel="stylesheet" type="text/css" href="/updates/concrete5.4.1.1/concrete/css/ccm.base.css?v=e00e8ce59e3521533bb4e67744a6e542" /> <script type="text/javascript" src="/updates/concrete5.4.1.1/concrete/js/jquery.js?v=e00e8ce59e3521533bb4e67744a6e542"></script> <script type="text/javascript" src="/updates/concrete5.4.1.1/concrete/js/ccm.base.js?v=e00e8ce59e3521533bb4e67744a6e542"></script>
This was taken off the source code of a random site from the showcase. You can check it out here: http://www.saucedjs.com/
C5 automatically generates this when you put:
<?php Loader::element('header_required');?>
In place of the title tags.
QUESTION:
1. For security reasons, how can you hide this code from regular (non editing) visitors?
- Its not necessary for typical visitors and it gives away the CMS name for exploitation.
POSSIBLE IDEAS
Use an if statement to check if the user is logged in?
- If not logged in send a separate .php replacement with just the <title>page</title>
- If logged in - send the editing header file
Any solutions are greatly appreciated!
Agree you can identify the CMS in use from that, not sure it presents a security risk unless your version has known exploits, but do very much agree that less disclosure is better.
Ok, after a little bit of messing around with my site I put together the following code which can be used in the head:
For showing CMS header only to those who need it.
<?php $u = new User(); if($u->isRegistered()) { Loader::element('header_required'); } else { $page = Page::getCurrentPage(); echo '<title>'.$page->getCollectionName().'</title>'; } ?>
For showing CMS header only to those who need it.
I really advise you not to do that, it can cause tons of problems especially with addon's.
Copy /concrete/elements/header_required.php to /elements and you can remove the meta generator, also for that use $u->isloggedin(); not registered but I highly advise people to not do what was posted above!
Copy /concrete/elements/header_required.php to /elements and you can remove the meta generator, also for that use $u->isloggedin(); not registered but I highly advise people to not do what was posted above!
It is almost impossible to entirely hide the identity of a site CMS and that is not at all unique to C5. It is very simple to detect WordPress or Drupal sites as well. Even if there is no clear identifier in the code source, a script can often detect the CMS by testing for certain directories or files they know exist in the given site. In Drupal for instance we can check for CHANGELOG files to be a in a certain location.
I would imagine even if you succeed in removing this code from the head, there are other simple ways to test if a given site is running C5.
I would imagine even if you succeed in removing this code from the head, there are other simple ways to test if a given site is running C5.
