Legacy (version 5.6.x-)

version ID protection

Permalink August 24, 2018 at 12:34 PM

What exactly can be done to prevent malicious users enumerating the specific verion of concrete5 used on a website? There are free tools such ashttp://pentest-tools.com/ that at present easily reveal the exact version of concrete5 - which I imagine would assist an attacker if there was a known unpatched vulnerability in a specific version.

A3020 replied on Aug 24, 2018 at 12:41 pm Permalink Reply

It's not helping much. Obscurity != Security. Every hacker probably has fingerprint tools to determine the software version used. I mean, even I have them, and I'm not a hacker.

pma111 replied on Aug 24, 2018 at 12:43 pm Permalink Reply

So are you saying 'don't worry about it' or its easy to obtain the information even if you hide it.

A3020 replied on Aug 24, 2018 at 12:46 pm Permalink Reply

Yes, that's what I'd say.

linuxoid replied on Aug 24, 2018 at 1:37 pm Permalink Reply

Not sure if it works in v5.6, but in v8.4 I use the following code in the package controller on_start():

Events::addListener("on_header_required_ready", function ($event) {
    $metaTags = $event->getArgument("metaTags");
    $metaTags['generator'] = sprintf('<meta name="generator" content="%s"/>', 'MY_PACKAGE - ' . $this->pkgVersion);
    $event->setArgument("metaTags", $metaTags);
    return $event;
});

Forums

Legacy (version 5.6.x-)

version ID protection

Code

Post Reply

Delete Post

Mark Post as Spam

Destroy Spammer

Sign In?