Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove version info from login screen #1878

Closed
sirtet opened this issue Apr 1, 2015 · 3 comments
Closed

Remove version info from login screen #1878

sirtet opened this issue Apr 1, 2015 · 3 comments

Comments

@sirtet
Copy link

@sirtet sirtet commented Apr 1, 2015

I know, security by obscurity is not working alone.
Still, i'd prefer to make live harder for an attacking bot who just needs to query the version string to apply the correct attack.

I'm no security expert, it's just an idea about something that sprung to my eye...

@chtaube
Copy link

@chtaube chtaube commented Apr 1, 2015

No bot would ever care about the version string returned, as this could be forged anyway. They don't even care if a particular application is installed at all. They simply try out all attacks/exploit that they have in its database and hope that one of them is successful.

If you want to harden your YOURLS installation, simply add password protection to the admin/ directory. As a side effect, this wil hide the login page with the version string, too.

You can improve security even more by not giving the PHP interpreter write access to the webserver's document_root. Of course, this would break auto-update mechanisms of CMS like Wordpress or Drupal. But as usually: There is no free lunch. The more you secure your installation, the less comfy it is for you to use and administer it.

@chtaube
Copy link

@chtaube chtaube commented Apr 1, 2015

user/plugins/hideversion/plugin.php :

<?php
/*
Plugin Name: Hide Version String
Plugin URI: https://github.com/YOURLS/YOURLS/issues/1878
Description: Plugin to hide the version string in the footer.
Version: 0.1
Author: chtaube
Author URI: http://github.com/chtaube
*/

if( !defined( 'YOURLS_ABSPATH' ) ) die();

yourls_add_filter( 'html_footer_text', 'hide_version_string' );

function hide_version_string( $value ) {
    return preg_filter( '/ v .* \&ndash; /', ' &ndash; ', $value );
}

@ozh
Copy link
Member

@ozh ozh commented Apr 1, 2015

Exactly what @chtaube says 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants