View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001966 | OXID eShop (all versions) | 1.04. Content, static (register, contact etc.) pages | public | 2010-07-12 11:18 | 2010-09-23 14:43 |
| Reporter | Bergfreunde | Assigned To | |||
| Priority | high | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.4.0 revision 28699 | ||||
| Fixed in Version | 4.4.3 revision 30016 | ||||
| Summary | 0001966: Don't show the full OXID eShop version publicly | ||||
| Description | It is a security-leak to show which version the shop is running on, if you have an old version including a known bug. 1. <!-- OXID eShop Enterprise Edition, Version 4.3.2, Shopping Cart System (c) OXID eSales AG 2003 - 2010 - http://www.oxid-esales.com --> Delete the last two numbers (in this case .3.2), and leave only the first digit. 2. Add restriction to .htaccess file to deny viewing the pkg.rev file via http, as it contains the revision number (which maps to exact eShop version). | ||||
| Tags | No tags attached. | ||||
| Theme | |||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
|
|
ack |
|
|
Reminder sent to: Bergfreunde, kdasdasf Hi, We would not treat this as a security issue, but more like safety improvement. Almost the same simple way people can get the PHP version running on your server and use it's issues to harm your eShop. But we'll check if removing last two digits would not harm the integration of other systems/services, and if it's possible - we'll remove it. Thank you for your report. Best regards, |
|
|
Therefore it would be nice if you deny access to the pkg.rev file in shop root via .htaccess or you are still able to get the shop version based on the revision number such as http://demoshop.oxid-esales.com/professional-edition/pkg.rev |
|
|
Shows only major version number, denies access to pkg.rev file |
