#2691 closed defect (wontfix)
Trac shouldn't announce version number
| Reported by: | Owned by: | Jonas Borgström | |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | general | Version: | 0.9.3 |
| Severity: | major | Keywords: | security |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Trac's 'about' page shows the version number, which is a security problem. It allows attackers to find victims easily using a search engine like google. Google lists 193 track 0.9.2 installations at the moment which are vulnerable.
Attachments (2)
Change History (10)
comment:1 by , 18 years ago
by , 18 years ago
| Attachment: | display_version.2.diff added |
|---|
patch against svn trunk (fixed one minor html problem)
comment:4 by , 18 years ago
Well, this sort of falls into security through obscurity. If the version number is not displayed an attacker will find another way to distinguish the versions, or simply try all the sites. Keeping the version number visible would allow users of a Trac site to encourage the admins to upgrade it if they notice it's running an old version.
I suppose it doesn't hurt to have an option to disable display the version, but if this is done the version should be added to the "About/Configuration" page so that admins could still find the version even if it's not accesible on the other pages.
comment:5 by , 18 years ago
"Security by obscurity", funny. Sure, hiding the version number doesn't fix security leaks, but announcing to the world (and yes, that's what you're doing) that you're running a possibly vulnerable software package is like putting a sign on your front door: "key under the mat". Securityfocus lists 9 (!) security related issues with trac, I'm sure they were not the last ones.
Fingerprinting via google is done a lot these days, that's why so many web bulletin boards are hacked each day. Please, don't make your users easy targets.
There are still 172 vulnerable tracs out there, although the last serious bug was fixed a month ago. A lot of time for attackers.
comment:6 by , 18 years ago
The problem with this is that users just believe they are safe. But every thieve knows where to look first for the door key… It should be made clear that hiding the version number does not free you from the task upgrading your installation. As putting your key under the mat does not free you from the task to fetch your key from the keyboard before closing the door.
comment:7 by , 18 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
I agree with mgood, here. Following the reasoning of this ticket, web servers shouldn't display their versions either… I'm sure the people behing Apache's httpd have a good reason for having chosen to display their ServerTokens in Full by default.
What could eventually be done, is to provide a setting for this, in the
spirit of the ServerSignature/ServerTokens settings used by apache,
in order to let the admin decide.
But I'm not sure it's worth the trouble, so I'm closing this as wontfix for now. If someone really wants to make this happen, at least provide a good patch for it.
comment:8 by , 18 years ago
Note that security auditing tools such as http://www.nessus.org/ report a big warning when the Apache server tells about its version number.
Although I agree that "security by obscurity" is not a solution, there are a lot of IT administrators that do not accept that the version of a server or a web engine is reported to the world. In other words, in a perfect world the version number disclosure is not an issue, but in the real world this could prevent Trac from being installed.
For the above reason, I don't think this ticket should have been closed as wontfix.
There should be an option to disable Trac version display.
For non-public installations, this information is still useful.