1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Determining XF version on sites

Discussion in 'General XenForo Discussion and Feedback' started by Neil E., Aug 19, 2014.

  1. Neil E.

    Neil E. Active Member

    I've seen a few sites that are obviously using XF. I am curious to know which version they are running. Is there a simple way to find out?
  2. Amaury

    Amaury Well-Known Member

    No. At least not that I'm aware of.
  3. Martok

    Martok Well-Known Member

    There is a way, though I won't go into it in a public forum. Any good admin will protect their forum to prevent this.
  4. Brogan

    Brogan XenForo Moderator Staff Member

    There's another way too ;)
  5. Chris D

    Chris D XenForo Developer Staff Member

    I'm not sure of the exact method Brogan is referring to.

    But there are a few indicators.

    The copyright message will tell you the year that version was released. And there are a few feature based indicators too. I'm not aware of anything concrete other than what Martok is suggesting but some admins will protect that page anyway.
  6. Neil E.

    Neil E. Active Member

    Well I'm not looking to do any hacking, it's just that when I saw the XF Trademark Year being 2010-2012, I was curious what version they were using. What is the downside to someone knowing which version is being run? Does it allow for possible security issues?
  7. Chris D

    Chris D XenForo Developer Staff Member

    Copyright of 2012 would be a version 1.1.x version. There's no hacking involved. It's not even really a big secret.


    The install page reveals the version number. I don't bother protecting my install page because only one account can access it anyway and frankly I don't care if people know what version I run.
    GeorgeS likes this.
  8. x3sphere

    x3sphere Active Member

    Hiding the version doesn't protect your forum. At best, it can help against automated exploit scanners I guess, but since it only masks any potential vulnerabilities anyone dedicated enough is not going to be put off by this.

    I certainly don't care about version information being exposed as I always keep my software up to date.
  9. Amaury

    Amaury Well-Known Member

    Anything's possible, I guess. If there is a security vulnerability in version 5.0 of a program, for example, and a hacker knows this and knows you're running that version, then there's a chance you might be in trouble.
  10. Neil E.

    Neil E. Active Member

    Using the install link as per Chris, I got to their upgrade page login and the version is shown as 1.1.2
    That's basically what I had already guessed by the site appearance.
    Thanks for the replies.

    What is normally done to hide this page?
  11. Chris D

    Chris D XenForo Developer Staff Member

    GeorgeS likes this.
  12. Neil E.

    Neil E. Active Member

    Thanks for that guide link.
  13. Martok

    Martok Well-Known Member

    Indeed it doesn't protect your forum (unless you're a daft admin whose super administrator account is "admin" with an easy guessable password). Protecting the page means you aren't advertising your XF version. You and I may always update to the latest stable version but not everyone does. So it's possible to use the page to identify an XF forum that hasn't installed the 1.3.5 security update.
  14. Liam W

    Liam W Well-Known Member

    Unless they applied the patch file that Mike attached to a post somewhere ;)

    I completely hid my install directory - https://xf-liam.com/install 0000'd the permissions on it.

    I don't need to use it anyway - I always use the CLI updater.

    Extra security, even if it isn't much, is always worth taking.

    Last edited: Aug 20, 2014
  15. tyteen4a03

    tyteen4a03 Well-Known Member

    You can determine by the copyright version, the jQuery version, and heck, you can even compare the xenforo.min.js between versions.

    Here are some major differences:
    1.1: Has log out button.
    1.2: jQuery bumped to 1.9. (iirc?)
    1.3: jQuery bumped to 1.10.

    There is no obvious way (in order to protect sites from being put on the kill list easily) but it is possible.
  16. RoldanLT

    RoldanLT Well-Known Member

    That security update only consider as an exploit if you have registered feeds from external sites.
  17. Martok

    Martok Well-Known Member

    I know it's not an issue for many sites. It is for a few though and someone can identify if those sites are likely to be still vulnerable by their XF version in the install page if the site admin hasn't protected it.
    RoldanLT likes this.
  18. oman

    oman Well-Known Member

    I always use the /install directory.... when I'm curious to check. :p

Share This Page