[dokuwiki] Re: HTML header, generator and keywords

Andreas Gohr wrote:
>>> DukuWiki adds a generator line to the HTML header
>>> that reveals the version of DokuWiki used.
>>> The problem I see here is that an attacker could
>>> use this information to break into the site using
>>> a technique only working for this version.
>>
>>   I don't think hiding php version, apache version, OS version,
>>   SSL version, SSH version, whatever version, DokuWiki version
>>   has anything to do with computer security.
> 
> I agree, that's security by obscurity and that has never worked. But if
> you really want to hide the version, just delete the VERSION file from
> you DokuWiki directory.

--------------------------------------------------
No! I didn't say removing the version info
would make DokuWiki secure. All I'm saying
is that this info increases the risc of an
attack. Imagine someone with knowledge
of a security whole in version 123: This
person could search the web for installations
of this specific version which he would not
tried to attack otherwise. Also the other
way around: If he wants to attack a specific
wiki he can just read the ChangeLog and
get some good hints where to start best.

Btw did you know searching for "DokuWiki Installer"
will point you too people who forgot deleting
install.php? If one of these people would not
have installed DokuWiki (say he saved it for
later) an attacker could install it on his
own, activate PHP code in config and execute
what ever PHP is allowed to.



Sebastian
-- 
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: