View Issue Details

IDProjectCategoryView StatusLast Update
0001966OXID eShop (all versions)1.04. Content, static (register, contact etc.) pagespublic2010-09-23 14:43
ReporterBergfreunde Assigned To 
PriorityhighSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.4.0 revision 28699 
Fixed in Version4.4.3 revision 30016 
Summary0001966: Don't show the full OXID eShop version publicly
DescriptionIt is a security-leak to show which version the shop is running on, if you have an old version including a known bug.

1. <!-- OXID eShop Enterprise Edition, Version 4.3.2, Shopping Cart System (c) OXID eSales AG 2003 - 2010 - http://www.oxid-esales.com -->

Delete the last two numbers (in this case .3.2), and leave only the first digit.

2. Add restriction to .htaccess file to deny viewing the pkg.rev file via http, as it contains the revision number (which maps to exact eShop version).
TagsNo tags attached.
Theme
BrowserAll
PHP Versionany
Database Versionany

Activities

kdasdasf

2010-08-02 01:17

reporter   ~0003343

ack

dainius.bigelis

2010-09-09 18:26

reporter   ~0003494

Reminder sent to: Bergfreunde, kdasdasf

Hi,

We would not treat this as a security issue, but more like safety improvement. Almost the same simple way people can get the PHP version running on your server and use it's issues to harm your eShop.
But we'll check if removing last two digits would not harm the integration of other systems/services, and if it's possible - we'll remove it.

Thank you for your report.
Best regards,

dominik_ziegler

2010-09-16 10:54

reporter   ~0003522

Therefore it would be nice if you deny access to the pkg.rev file in shop root via .htaccess or you are still able to get the shop version based on the revision number such as http://demoshop.oxid-esales.com/professional-edition/pkg.rev

alfonsas_cirtautas

2010-09-23 09:02

reporter   ~0003544

Shows only major version number, denies access to pkg.rev file