Determining XF version on sites
- Thread starter Neil E.
- Start date
I'm not sure of the exact method Brogan is referring to.
But there are a few indicators.
The copyright message will tell you the year that version was released. And there are a few feature based indicators too. I'm not aware of anything concrete other than what Martok is suggesting but some admins will protect that page anyway.
But there are a few indicators.
The copyright message will tell you the year that version was released. And there are a few feature based indicators too. I'm not aware of anything concrete other than what Martok is suggesting but some admins will protect that page anyway.
Copyright of 2012 would be a version 1.1.x version. There's no hacking involved. It's not even really a big secret.
http://xenmediagallery.com/install/
The install page reveals the version number. I don't bother protecting my install page because only one account can access it anyway and frankly I don't care if people know what version I run.
http://xenmediagallery.com/install/
The install page reveals the version number. I don't bother protecting my install page because only one account can access it anyway and frankly I don't care if people know what version I run.
x3sphere
Active member
Hiding the version doesn't protect your forum. At best, it can help against automated exploit scanners I guess, but since it only masks any potential vulnerabilities anyone dedicated enough is not going to be put off by this.
I certainly don't care about version information being exposed as I always keep my software up to date.
Amaury
Well-known member
Anything's possible, I guess. If there is a security vulnerability in version 5.0 of a program, for example, and a hacker knows this and knows you're running that version, then there's a chance you might be in trouble.
Just protected with htaccess. Just like here:
http://xenforo.com/community/install
This guide by Brogan will help:
http://xenforo.com/community/resour...and-the-install-directory-using-htaccess.353/
http://xenforo.com/community/install
This guide by Brogan will help:
http://xenforo.com/community/resour...and-the-install-directory-using-htaccess.353/
Martok
Well-known member
Indeed it doesn't protect your forum (unless you're a daft admin whose super administrator account is "admin" with an easy guessable password). Protecting the page means you aren't advertising your XF version. You and I may always update to the latest stable version but not everyone does. So it's possible to use the page to identify an XF forum that hasn't installed the 1.3.5 security update.
Liam W
in memoriam 1998-2020
Unless they applied the patch file that Mike attached to a post somewhere
I completely hid my install directory - https://xf-liam.com/install 0000'd the permissions on it.
I don't need to use it anyway - I always use the CLI updater.
Extra security, even if it isn't much, is always worth taking.
Liam
Last edited:
tyteen4a03
Well-known member
You can determine by the copyright version, the jQuery version, and heck, you can even compare the xenforo.min.js between versions.
Here are some major differences:
1.1: Has log out button.
1.2: jQuery bumped to 1.9. (iirc?)
1.3: jQuery bumped to 1.10.
There is no obvious way (in order to protect sites from being put on the kill list easily) but it is possible.
Here are some major differences:
1.1: Has log out button.
1.2: jQuery bumped to 1.9. (iirc?)
1.3: jQuery bumped to 1.10.
There is no obvious way (in order to protect sites from being put on the kill list easily) but it is possible.
That security update only consider as an exploit if you have registered feeds from external sites.
Martok
Well-known member
I know it's not an issue for many sites. It is for a few though and someone can identify if those sites are likely to be still vulnerable by their XF version in the install page if the site admin hasn't protected it.
Similar threads
- Question
