[ZendTo] Feature Request: Option to disable visible version strings
Jules Field
Jules at Zend.To
Thu Jul 12 17:31:35 BST 2018
Why not just set "ZTVERSION" in preferences.php to any other string you
like?
That's exactly why I let you set it. Just change it to "1" or something
like that.
Cheers,
Jules.
On 12/07/2018 16:30, Ricky Boone via ZendTo wrote:
> I think it would be helpful to include an option that disables the
> visibility of the version, at least to non-administrators, that is
> normally rendered at the footer of every page. While there are
> absolutely other ways to secure a system, or ways that bad actors
> could determine what version you're potentially running, handing out
> information like the version string can be a risk if there is a zero
> day or other vulnerability. Several best practices related to
> securing a web server include disabling version strings or otherwise
> obfuscating the Server header in Apache httpd, for example:
>
> https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)
>
> For the time being, I'm just clearing out the parts of the footer.tpl
> template that include this, but I think this would be cleaner to do
> within the config. If I'm going about this the wrong way, let me
> know, however I'm still of the opinion that publicly announcing this
> level of detail is probably not the most secure option, either.
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Adversity is like a strong wind. I don't mean just that it holds
us back from places we might otherwise go. It also tears away from
us all but the things that cannot be torn, so that afterward we see
ourselves as we really are, and not merely as we might like to be.'
- Arthur Golden
www.Zend.To
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
More information about the ZendTo
mailing list