PhotoPost Community - View Single Post - Big Security No-No

Swanny · August 2nd, 2010, 11:51 PM

So I finally upgraded my ReviewPost version 4.04 the other day. I noticed that in the footer it shows: Powered by: Reviewpost 5.0. Also, there is a meta tag <meta name="generator" content="ReviewPost 5.0" />. This is bad in my opinion.

You see, hackers can use version information to take advantage of vulnerabilities. For example, there have been a few "security updates" as you can see in your Announcements forum. If a hacker wanted, they could do a search in their favorite search engine for "Powered by: ReviewPost 4.0" and know that the software is not up-to-date, then proceed to take advantage of any known vulnerabilities. If the version number was absent from the HTML (meta/footer) then they would have a harder time doing this.

Please remove the version number from the meta tag and footer as it is a security concern. That is my suggestion.

p.s. The sky is not falling and I know plenty of software packages / scripts include version numbers. I'm not suggesting your product is not secure, I'm saying it is good security practice to hide the version number to anyone but the admin. Agree? Disagree? Comments?

August 2nd, 2010, 11:51 PM	#1 (permalink)
Swanny Member Verified Customer Join Date: Jun 2002 Location: Western Canada Posts: 382	Big Security No-No - "Powered by: Reviewpost 5.0" So I finally upgraded my ReviewPost version 4.04 the other day. I noticed that in the footer it shows: Powered by: Reviewpost 5.0. Also, there is a meta tag <meta name="generator" content="ReviewPost 5.0" />. This is bad in my opinion. You see, hackers can use version information to take advantage of vulnerabilities. For example, there have been a few "security updates" as you can see in your Announcements forum. If a hacker wanted, they could do a search in their favorite search engine for "Powered by: ReviewPost 4.0" and know that the software is not up-to-date, then proceed to take advantage of any known vulnerabilities. If the version number was absent from the HTML (meta/footer) then they would have a harder time doing this. Please remove the version number from the meta tag and footer as it is a security concern. That is my suggestion. p.s. The sky is not falling and I know plenty of software packages / scripts include version numbers. I'm not suggesting your product is not secure, I'm saying it is good security practice to hide the version number to anyone but the admin. Agree? Disagree? Comments? __________________ My PhotoPost Installations are at: FordF150.net - Ford Truck Enthusiast Site FordFlex.net - Ford Flex Enthusiast Site FordTaurus.net - Ford Taurus Enthusiast Site FordFusion.net - Ford Fusion Enthusiast Site