#2691: Trac shouldn't announce version number
--------------------------+-------------------------------------------------
Reporter: [EMAIL PROTECTED] | Owner: jonas
Type: defect | Status: new
Priority: high | Milestone:
Component: general | Version: 0.9.3
Severity: major | Resolution:
Keywords: security |
--------------------------+-------------------------------------------------
Comment (by anonymous):
"Security by obscurity", funny. Sure, hiding the version number doesn't
fix security leaks, but announcing to the world (and yes, that's what
you're doing) that you're running a possibly vulnerable software package
is like putting a sign on your front door: "key under the mat".
Securityfocus lists 9 (!) security related issues with trac, I'm sure they
were not the last ones.
Fingerprinting via google is done a lot these days, that's why so many web
bulletin boards are hacked each day. Please, don't make your users easy
targets.
There are still 172 vulnerable tracs out there, although the last serious
bug was fixed a month ago. A lot of time for attackers.
--
Ticket URL: <http://projects.edgewall.com/trac/ticket/2691>
The Trac Project <http://trac.edgewall.com/>
_______________________________________________
Trac-Tickets mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-tickets
