security of CHANGELOG.txt

Do others consider it a security risk to leave CHANGELOG.txt web
accessible; i.e., broadcasting what version of Drupal you're running,
for those who know to look?

-Matt



_______________________________________________
consulting mailing list
consulting@...
http://lists.drupal.org/mailman/listinfo/consulting

I think it is good to remove it. You don't need with with Drupal  
status pages telling you version info in the system. It just gives  
hackers more info to narrow down the exploits needed to hack a site/
app. I have noticed that most of the large/well-known Drupal sites  
have removed it.

On Sep 28, 2009, at 4:21 PM, Matt Chapman wrote:

_______________________________________________
consulting mailing list
consulting@...
http://lists.drupal.org/mailman/listinfo/consulting

> I think it is good to remove it. You don't need with with Drupal  
> status pages telling you version info in the system. It just gives  
> hackers more info to narrow down the exploits needed to hack a site/
> app. I have noticed that most of the large/well-known Drupal sites  

You can remove it - there's no problem with that. However, you're
gaining absolutely nothing security-wise. There are sniffers out there
that can detect what version you're running just by the outputs of your
site. Similarly, most exploitation kits will test hundreds of exploits
on your system *regardless of what version you have*. In actuality, it
*takes too much work to find out what version you have* - most kits just
through the whole sink at your site, in hopes that something works.

--
Morbus Iff ( anything else in the box, pandora? )
Technical: http://www.oreillynet.com/pub/au/779
Enjoy: http://www.disobey.com/ and http://www.videounderbelly.com/
aim: akaMorbus / skype: morbusiff / icq: 2927491 / jabber.org: morbus
_______________________________________________
consulting mailing list
consulting@...
http://lists.drupal.org/mailman/listinfo/consulting

If you don't keep core up to date, it can be seen as such, but of course the vulnerabilityis not the CHANGELOG per se, but the fact that you are not upgrading.

It's basically complaining about the symptom without caring for the disease.
________________________________________
De : consulting-bounces@... [consulting-bounces@...] de la part de Matt Chapman [Matt@...]
Date d'envoi : lundi 28 septembre 2009 22:21
À : A list for Drupal consultants and Drupal service/hosting providers
Objet : [consulting] security of CHANGELOG.txt

Do others consider it a security risk to leave CHANGELOG.txt web
accessible; i.e., broadcasting what version of Drupal you're running,
for those who know to look?

-Matt



_______________________________________________
consulting mailing list
consulting@...
http://lists.drupal.org/mailman/listinfo/consulting
_______________________________________________
consulting mailing list
consulting@...
http://lists.drupal.org/mailman/listinfo/consulting

Do delete it if you feel like it, but don't a) rely only on that as a protection
and b) don't let it make you fall into the "security by obscurity" trap.
--
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci

_______________________________________________
consulting mailing list
consulting@...
http://lists.drupal.org/mailman/listinfo/consulting

In general, I would think that if they know enough to look at your  
changelog, they know enough to just test for the security exploit in  
question.   i.e. "those who know to look" probably do know how to look.

-Sam

On Sep 29, 2009, at 2:22 AM, fgm wrote:

_______________________________________________
consulting mailing list
consulting@...
http://lists.drupal.org/mailman/listinfo/consulting