Determining XF version on sites

Neil E.

Active member
I've seen a few sites that are obviously using XF. I am curious to know which version they are running. Is there a simple way to find out?
 
There is a way, though I won't go into it in a public forum. Any good admin will protect their forum to prevent this.
 
I'm not sure of the exact method Brogan is referring to.

But there are a few indicators.

The copyright message will tell you the year that version was released. And there are a few feature based indicators too. I'm not aware of anything concrete other than what Martok is suggesting but some admins will protect that page anyway.
 
Well I'm not looking to do any hacking, it's just that when I saw the XF Trademark Year being 2010-2012, I was curious what version they were using. What is the downside to someone knowing which version is being run? Does it allow for possible security issues?
 
Copyright of 2012 would be a version 1.1.x version. There's no hacking involved. It's not even really a big secret.

http://xenmediagallery.com/install/

The install page reveals the version number. I don't bother protecting my install page because only one account can access it anyway and frankly I don't care if people know what version I run.
 
There is a way, though I won't go into it in a public forum. Any good admin will protect their forum to prevent this.

Hiding the version doesn't protect your forum. At best, it can help against automated exploit scanners I guess, but since it only masks any potential vulnerabilities anyone dedicated enough is not going to be put off by this.

I certainly don't care about version information being exposed as I always keep my software up to date.
 
What is the downside to someone knowing which version is being run? Does it allow for possible security issues?

Anything's possible, I guess. If there is a security vulnerability in version 5.0 of a program, for example, and a hacker knows this and knows you're running that version, then there's a chance you might be in trouble.
 
Using the install link as per Chris, I got to their upgrade page login and the version is shown as 1.1.2
That's basically what I had already guessed by the site appearance.
Thanks for the replies.

What is normally done to hide this page?
 
Hiding the version doesn't protect your forum. At best, it can help against automated exploit scanners I guess, but since it only masks any potential vulnerabilities anyone dedicated enough is not going to be put off by this.

I certainly don't care about version information being exposed as I always keep my software up to date.
Indeed it doesn't protect your forum (unless you're a daft admin whose super administrator account is "admin" with an easy guessable password). Protecting the page means you aren't advertising your XF version. You and I may always update to the latest stable version but not everyone does. So it's possible to use the page to identify an XF forum that hasn't installed the 1.3.5 security update.
 
Indeed it doesn't protect your forum (unless you're a daft admin whose super administrator account is "admin" with an easy guessable password). Protecting the page means you aren't advertising your XF version. You and I may always update to the latest stable version but not everyone does. So it's possible to use the page to identify an XF forum that hasn't installed the 1.3.5 security update.

Unless they applied the patch file that Mike attached to a post somewhere ;)

I completely hid my install directory - https://xf-liam.com/install 0000'd the permissions on it.

I don't need to use it anyway - I always use the CLI updater.

Extra security, even if it isn't much, is always worth taking.

Liam
 
Last edited:
You can determine by the copyright version, the jQuery version, and heck, you can even compare the xenforo.min.js between versions.

Here are some major differences:
1.1: Has log out button.
1.2: jQuery bumped to 1.9. (iirc?)
1.3: jQuery bumped to 1.10.

There is no obvious way (in order to protect sites from being put on the kill list easily) but it is possible.
 
That security update only consider as an exploit if you have registered feeds from external sites.
I know it's not an issue for many sites. It is for a few though and someone can identify if those sites are likely to be still vulnerable by their XF version in the install page if the site admin hasn't protected it.
 
  • Like
Reactions: rdn
Top Bottom