Edgewall Software
Modify

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#2691 closed defect (wontfix)

Trac shouldn't announce version number

Reported by: matt@… Owned by: jonas
Priority: high Milestone:
Component: general Version: 0.9.3
Severity: major Keywords: security
Cc:
Release Notes:
API Changes:

Description

Trac's 'about' page shows the version number, which is a security problem. It allows attackers to find victims easily using a search engine like google. Google lists 193 track 0.9.2 installations at the moment which are vulnerable.

Attachments (2)

display_version.diff (1.2 KB) - added by lalinsky@… 8 years ago.
patch against svn trunk
display_version.2.diff (1.8 KB) - added by lalinsky@… 8 years ago.
patch against svn trunk (fixed one minor html problem)

Download all attachments as: .zip

Change History (10)

comment:1 Changed 8 years ago by eblot

There should be an option to disable Trac version display.

For non-public installations, this information is still useful.

comment:2 Changed 8 years ago by anonymous

Better yet, an option to enable it.

comment:3 Changed 8 years ago by anonymous

It's not just the about page, it's at the bottom of every page :-(

Changed 8 years ago by lalinsky@…

patch against svn trunk

Changed 8 years ago by lalinsky@…

patch against svn trunk (fixed one minor html problem)

comment:4 Changed 8 years ago by mgood

Well, this sort of falls into security through obscurity. If the version number is not displayed an attacker will find another way to distinguish the versions, or simply try all the sites. Keeping the version number visible would allow users of a Trac site to encourage the admins to upgrade it if they notice it's running an old version.

I suppose it doesn't hurt to have an option to disable display the version, but if this is done the version should be added to the "About/Configuration?" page so that admins could still find the version even if it's not accesible on the other pages.

comment:5 Changed 8 years ago by anonymous

"Security by obscurity", funny. Sure, hiding the version number doesn't fix security leaks, but announcing to the world (and yes, that's what you're doing) that you're running a possibly vulnerable software package is like putting a sign on your front door: "key under the mat". Securityfocus lists 9 (!) security related issues with trac, I'm sure they were not the last ones.

Fingerprinting via google is done a lot these days, that's why so many web bulletin boards are hacked each day. Please, don't make your users easy targets.

There are still 172 vulnerable tracs out there, although the last serious bug was fixed a month ago. A lot of time for attackers.

comment:6 Changed 8 years ago by kai@…

The problem with this is that users just believe they are safe. But every thieve knows where to look first for the door key… It should be made clear that hiding the version number does not free you from the task upgrading your installation. As putting your key under the mat does not free you from the task to fetch your key from the keyboard before closing the door.

comment:7 Changed 8 years ago by cboos

  • Resolution set to wontfix
  • Status changed from new to closed

I agree with mgood, here. Following the reasoning of this ticket, web servers shouldn't display their versions either… I'm sure the people behing Apache's httpd have a good reason for having chosen to display their ServerTokens? in Full by default.

What could eventually be done, is to provide a setting for this, in the spirit of the ServerSignature/ServerTokens settings used by apache, in order to let the admin decide.

But I'm not sure it's worth the trouble, so I'm closing this as wontfix for now. If someone really wants to make this happen, at least provide a good patch for it.

comment:8 Changed 8 years ago by eblot

Note that security auditing tools such as http://www.nessus.org/ report a big warning when the Apache server tells about its version number.

Although I agree that "security by obscurity" is not a solution, there are a lot of IT administrators that do not accept that the version of a server or a web engine is reported to the world. In other words, in a perfect world the version number disclosure is not an issue, but in the real world this could prevent Trac from being installed.

For the above reason, I don't think this ticket should have been closed as wontfix.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed The owner will remain jonas.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from jonas to the specified user.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.