Edgewall Software

Opened 10 years ago

Closed 10 years ago

Last modified 9 years ago

#2691 closed defect (wontfix)

Trac shouldn't announce version number

Reported by: matt@… Owned by: Jonas Borgström
Priority: high Milestone:
Component: general Version: 0.9.3
Severity: major Keywords: security
Release Notes:
API Changes:


Trac's 'about' page shows the version number, which is a security problem. It allows attackers to find victims easily using a search engine like google. Google lists 193 track 0.9.2 installations at the moment which are vulnerable.

Attachments (2)

display_version.diff (1.2 KB) - added by lalinsky@… 10 years ago.
patch against svn trunk
display_version.2.diff (1.8 KB) - added by lalinsky@… 10 years ago.
patch against svn trunk (fixed one minor html problem)

Download all attachments as: .zip

Change History (10)

comment:1 Changed 10 years ago by Emmanuel Blot

There should be an option to disable Trac version display.

For non-public installations, this information is still useful.

comment:2 Changed 10 years ago by anonymous

Better yet, an option to enable it.

comment:3 Changed 10 years ago by anonymous

It's not just the about page, it's at the bottom of every page :-(

Changed 10 years ago by lalinsky@…

Attachment: display_version.diff added

patch against svn trunk

Changed 10 years ago by lalinsky@…

Attachment: display_version.2.diff added

patch against svn trunk (fixed one minor html problem)

comment:4 Changed 10 years ago by Matthew Good

Well, this sort of falls into security through obscurity. If the version number is not displayed an attacker will find another way to distinguish the versions, or simply try all the sites. Keeping the version number visible would allow users of a Trac site to encourage the admins to upgrade it if they notice it's running an old version.

I suppose it doesn't hurt to have an option to disable display the version, but if this is done the version should be added to the "About/Configuration?" page so that admins could still find the version even if it's not accesible on the other pages.

comment:5 Changed 10 years ago by anonymous

"Security by obscurity", funny. Sure, hiding the version number doesn't fix security leaks, but announcing to the world (and yes, that's what you're doing) that you're running a possibly vulnerable software package is like putting a sign on your front door: "key under the mat". Securityfocus lists 9 (!) security related issues with trac, I'm sure they were not the last ones.

Fingerprinting via google is done a lot these days, that's why so many web bulletin boards are hacked each day. Please, don't make your users easy targets.

There are still 172 vulnerable tracs out there, although the last serious bug was fixed a month ago. A lot of time for attackers.

comment:6 Changed 10 years ago by kai@…

The problem with this is that users just believe they are safe. But every thieve knows where to look first for the door key… It should be made clear that hiding the version number does not free you from the task upgrading your installation. As putting your key under the mat does not free you from the task to fetch your key from the keyboard before closing the door.

comment:7 Changed 10 years ago by Christian Boos

Resolution: wontfix
Status: newclosed

I agree with mgood, here. Following the reasoning of this ticket, web servers shouldn't display their versions either… I'm sure the people behing Apache's httpd have a good reason for having chosen to display their ServerTokens? in Full by default.

What could eventually be done, is to provide a setting for this, in the spirit of the ServerSignature/ServerTokens settings used by apache, in order to let the admin decide.

But I'm not sure it's worth the trouble, so I'm closing this as wontfix for now. If someone really wants to make this happen, at least provide a good patch for it.

comment:8 Changed 10 years ago by Emmanuel Blot

Note that security auditing tools such as http://www.nessus.org/ report a big warning when the Apache server tells about its version number.

Although I agree that "security by obscurity" is not a solution, there are a lot of IT administrators that do not accept that the version of a server or a web engine is reported to the world. In other words, in a perfect world the version number disclosure is not an issue, but in the real world this could prevent Trac from being installed.

For the above reason, I don't think this ticket should have been closed as wontfix.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.