Some security concernes

Discuss PivotX 2.0.x here. Non-PivotX related discussions go in The Drain.

Some security concernes

Postby kakashka12345 » Tue Dec 28, 2010 8:12 am

Hi...

I am not trying to be paranoid or something, but I wanted to point your attention to the following:

module_parser.php generates meta tag "generator" and a current Pivot version as an HTML comment.

eg:
Code: Select all
<meta name="generator" content="PivotX" />< ! -- version: 100000 -- >


Is displaying a version really necessary? The version can tell a potential attacker what he is dealing with, if one tries to find an exploit in the system ...
kakashka12345
 
Posts: 10
Joined: Sun Dec 26, 2010 4:01 am

Re: Some security concernes

Postby hansfn » Tue Dec 28, 2010 3:08 pm

Being paranoid is healthy, but since that information is so easy to get another place removing it doesn't help much.
hansfn
Developer
 
Posts: 3282
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: Some security concernes

Postby Bob » Fri Dec 31, 2010 9:21 am

I've been thinking about this for a while, and I agree with Hans: Hiding the number would just give a false sense of security, because there's plenty of ways to find out the actual version number. One of the ways that could never be prevented fully, is to get pivotx/includes/js/pivotx.js, and comparing that to known versions you've downloaded of our site.

For fun, check out this post by some guy who lists a ton of ways to find out what version of WP a site is running: http://w-shadow.com/blog/2009/12/02/det ... s-version/
Bob
Lead Developer
 
Posts: 1374
Joined: Tue Nov 20, 2007 11:16 pm

Re: Some security concernes

Postby kakashka12345 » Sat Jan 01, 2011 9:16 am

Bob wrote:I've been thinking about this for a while, and I agree with Hans: Hiding the number would just give a false sense of security, because there's plenty of ways to find out the actual version number. One of the ways that could never be prevented fully, is to get pivotx/includes/js/pivotx.js, and comparing that to known versions you've downloaded of our site.

For fun, check out this post by some guy who lists a ton of ways to find out what version of WP a site is running: http://w-shadow.com/blog/2009/12/02/det ... s-version/


Bob, you are right and I agree.
If someone (capable enough) decides to target your site and to bring it down by finding an exploit in your CMS, most probably he will be able to do it, and removal of some comment will not stop him. WP has some plugin that removes the version from a number of locations

Perhaps I should have started this thread differently. Pivotx is not as widely used, unlike WP. Therefore most probably pivot sites are not targeted as often as as WP sites.

I think the following can be considered as a quite common scenario:
When some naughty script kid manages to get inside yet another WP site, he publishes the exploit on the dedicated h4x0r boards. Following that, another script kiddy trying his luck using that exploit on the dedicated WP sites based on the WP version compatibility. The latter kiddy opens Google, and quickly finds his future targets simply by typing something like that:
Code: Select all
content="WordPress x.x.x

The Google returns X number of results ... The rest is a matter of trial and error

My question is:
Why make it easier for a potential attacker? How about not leaving obvious hints about the version of your platform in your HTML,CSS,JS and what not files that are accessible via HTTP/S? Or perhaps lets have it as an option in advanced config? Not having obvious hints in place, most probably will discourage the script kiddy to target the site ...(I am not talking about a case when someone pledged to erase you from the face of the In-net)


I think you understand what I am trying to say ... Sorry once again for pessimistic thinking, I guess one starts thinking differently after the bite ;) (Having said that, I am not implying that you are a non-thinker)

P.S. Happy new year!
kakashka12345
 
Posts: 10
Joined: Sun Dec 26, 2010 4:01 am

Re: Some security concernes

Postby bangkak » Wed Dec 07, 2011 9:08 am

I just change file "/pivotx/modules/module_parser.php" for <meta name="generator" content="My Admin"/>.
bangkak
 
Posts: 3
Joined: Tue Dec 06, 2011 10:41 am

Re: Some security concernes

Postby kakashka12345 » Mon Dec 26, 2011 9:25 am

Hi,

That's not really the best solution, because the moment you updated to the newer pivotx version, you lose all you changes and you have to repeat the manual process again.
kakashka12345
 
Posts: 10
Joined: Sun Dec 26, 2010 4:01 am


Return to 2.x Discussion

Who is online

Users browsing this forum: No registered users and 2 guests

cron