New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove version info from login screen #1878

Closed
sirtet opened this Issue Apr 1, 2015 · 3 comments

Comments

Projects
None yet
3 participants
@sirtet

sirtet commented Apr 1, 2015

I know, security by obscurity is not working alone.
Still, i'd prefer to make live harder for an attacking bot who just needs to query the version string to apply the correct attack.

I'm no security expert, it's just an idea about something that sprung to my eye...

@chtaube

This comment has been minimized.

Show comment
Hide comment
@chtaube

chtaube Apr 1, 2015

No bot would ever care about the version string returned, as this could be forged anyway. They don't even care if a particular application is installed at all. They simply try out all attacks/exploit that they have in its database and hope that one of them is successful.

If you want to harden your YOURLS installation, simply add password protection to the admin/ directory. As a side effect, this wil hide the login page with the version string, too.

You can improve security even more by not giving the PHP interpreter write access to the webserver's document_root. Of course, this would break auto-update mechanisms of CMS like Wordpress or Drupal. But as usually: There is no free lunch. The more you secure your installation, the less comfy it is for you to use and administer it.

chtaube commented Apr 1, 2015

No bot would ever care about the version string returned, as this could be forged anyway. They don't even care if a particular application is installed at all. They simply try out all attacks/exploit that they have in its database and hope that one of them is successful.

If you want to harden your YOURLS installation, simply add password protection to the admin/ directory. As a side effect, this wil hide the login page with the version string, too.

You can improve security even more by not giving the PHP interpreter write access to the webserver's document_root. Of course, this would break auto-update mechanisms of CMS like Wordpress or Drupal. But as usually: There is no free lunch. The more you secure your installation, the less comfy it is for you to use and administer it.

@chtaube

This comment has been minimized.

Show comment
Hide comment
@chtaube

chtaube Apr 1, 2015

user/plugins/hideversion/plugin.php :

<?php
/*
Plugin Name: Hide Version String
Plugin URI: https://github.com/YOURLS/YOURLS/issues/1878
Description: Plugin to hide the version string in the footer.
Version: 0.1
Author: chtaube
Author URI: http://github.com/chtaube
*/

if( !defined( 'YOURLS_ABSPATH' ) ) die();

yourls_add_filter( 'html_footer_text', 'hide_version_string' );

function hide_version_string( $value ) {
    return preg_filter( '/ v .* \&ndash; /', ' &ndash; ', $value );
}

chtaube commented Apr 1, 2015

user/plugins/hideversion/plugin.php :

<?php
/*
Plugin Name: Hide Version String
Plugin URI: https://github.com/YOURLS/YOURLS/issues/1878
Description: Plugin to hide the version string in the footer.
Version: 0.1
Author: chtaube
Author URI: http://github.com/chtaube
*/

if( !defined( 'YOURLS_ABSPATH' ) ) die();

yourls_add_filter( 'html_footer_text', 'hide_version_string' );

function hide_version_string( $value ) {
    return preg_filter( '/ v .* \&ndash; /', ' &ndash; ', $value );
}
@ozh

This comment has been minimized.

Show comment
Hide comment
@ozh

ozh Apr 1, 2015

Member

Exactly what @chtaube says 👍

Member

ozh commented Apr 1, 2015

Exactly what @chtaube says 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment