Am 19.07.2012 13:59, schrieb Thomas Bruederli: > On Mon, Jul 16, 2012 at 1:32 PM, Reindl Harald <[email protected]> wrote: >> this is a BAD default >> >> usually distributions packaging roundcube and >> if this file is not flagged es config-noreplace >> any change gets overwritten on updates >> >> for security reason no software has to cry out >> it's version to random robots and possible >> attackers as default! > > That is a BAD argument!
this NOT a bad argument > If somebody wants to find out the version of a > Roundcube installation there are plenty of ways > to do so, even without the version directly exposed but it is more difficult with your argumentation the Server-Header would also not be needed to find out the exact httpd version "Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0j-fips" it is proven by external security-audits that it is impossible to find out the httpd-version with nessus and other tools if you configure your machine peroperly > On the other hand, we often get support requests where people cannot > say what version of Roundcube they're using because it's not visible > to the users so why the hell is there not a config file to enable/disable this instead put it in a default-template which gets randomly overwritten when you install roundcube per package-managment which is the case for most production environments crying out the exactly installed version of a server software to foreign people is ALWAYS a very bad idea because it may abuse you if there is a known security problem and you are some days behind with updates for whatever reason (distribution lag, vacation, weekend)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
