An admin user is not logged into the forum, yet when the /install/ path is visited, the current version number of the software is displayed on the right side in the footer. This seems like an easy way for someone to learn the version number of the forum software. Why is/was this done?
Why is forum software version displayed to public in the install area?
- Thread starter BoardBoss
- Start date
We don't particularly place a great deal of significance over the software version, though we haven't gone as far as some software, such as vBulletin and WordPress who display it in the source code in a meta generator tag, though there could be benefits to us doing this in the future.
For now, if you don't want that to be displayed there, you can add an extra layer of security by adding password protection to that page:
https://xenforo.com/community/resou...and-the-install-directory-using-htaccess.353/
You can see we do that here:
https://xenforo.com/community/install/
For now, if you don't want that to be displayed there, you can add an extra layer of security by adding password protection to that page:
https://xenforo.com/community/resou...and-the-install-directory-using-htaccess.353/
You can see we do that here:
https://xenforo.com/community/install/
I understand YOU (as a team) do not place a great deal of significance over displaying the software version, or it would not be shown on the page. I understand there are different methods to employ to protect the page, although that really does not address the 'why" of what I posted.
With the number of people looking to exploit sites, especially popular ones, it seems a bit shortsighted that the software version is publicly displayed somewhere. I understand other solutions have shortcomings as well. Shouldn't it be your goal to be better than them? I have used vBulletin in almost 8 years, after using it for a long time. The mounting number of security problems contributed greatly to that decision. For the record, I am no fan of WordPress for similar reasons.
That said, I spent almost a year researching and testing various forum software before deciding to try XenForo. To find such simple and easily-correctable issues is, quite frankly, very surprising to me. Rather than defend such deficiencies, why not eliminate them? Can you think of any good reason that the public should know what version software a site is running? I cannot. I really hope the team considers fixing these types of issues.
With the number of people looking to exploit sites, especially popular ones, it seems a bit shortsighted that the software version is publicly displayed somewhere. I understand other solutions have shortcomings as well. Shouldn't it be your goal to be better than them? I have used vBulletin in almost 8 years, after using it for a long time. The mounting number of security problems contributed greatly to that decision. For the record, I am no fan of WordPress for similar reasons.
That said, I spent almost a year researching and testing various forum software before deciding to try XenForo. To find such simple and easily-correctable issues is, quite frankly, very surprising to me. Rather than defend such deficiencies, why not eliminate them? Can you think of any good reason that the public should know what version software a site is running? I cannot. I really hope the team considers fixing these types of issues.
Robust
Well-known member
I wouldn't classify showing the version as an issue. Security by obscurity is not a good practice.
As Chris said, you can simply add password protection to that page (which you probably should be doing anyway). I don't remember anywhere on the frontend that shows the version.
If there's a security bug in the software, you should be updating your software as soon as possible, rather than hoping that people won't attempt to exploit it because they don't know your forum version (hint: they'll probably try regardless). XenForo has a great security record, though. I don't recall any major security bugs off the top of my head.
As Chris said, you can simply add password protection to that page (which you probably should be doing anyway). I don't remember anywhere on the frontend that shows the version.
If there's a security bug in the software, you should be updating your software as soon as possible, rather than hoping that people won't attempt to exploit it because they don't know your forum version (hint: they'll probably try regardless). XenForo has a great security record, though. I don't recall any major security bugs off the top of my head.
I disagree. ANY revelation of system data is another potential tool for professional or amateurs to attack a site.
If you recall, XenForo recommends that we keep the 'install' directory intact, in case it is needed in the future. ANYONE can visit the /install/ path and see the software version in the lower right corner of the screen. That is a separate issue from securing the install directory. Most solutions do not leave an install folder for obvious reasons.
As far as security exploits and XenForo go, I only had to repeat a search I had previously done to see this little jewel: "The vulnerability allows remote attackers to read sensitive information from the XenForo database like usernames and passwords. Since the affected REST actions do not require an authentication hash, these vulnerabilities can be exploited by an unauthenticated attacker."
Hmm. Unauthenticated hacker. Unauthenticated user. Is there much of a difference? For the record, I have already addressed the install path issue on my sites. I raised the point to determine the WHY. While defenses (a.k.a. excuses) abound, those don't really address the issue, do they?
If you recall, XenForo recommends that we keep the 'install' directory intact, in case it is needed in the future. ANYONE can visit the /install/ path and see the software version in the lower right corner of the screen. That is a separate issue from securing the install directory. Most solutions do not leave an install folder for obvious reasons.
As far as security exploits and XenForo go, I only had to repeat a search I had previously done to see this little jewel: "The vulnerability allows remote attackers to read sensitive information from the XenForo database like usernames and passwords. Since the affected REST actions do not require an authentication hash, these vulnerabilities can be exploited by an unauthenticated attacker."
Hmm. Unauthenticated hacker. Unauthenticated user. Is there much of a difference? For the record, I have already addressed the install path issue on my sites. I raised the point to determine the WHY. While defenses (a.k.a. excuses) abound, those don't really address the issue, do they?
Ernest L. Defoe
Well-known member
Why don’t you share the link of this search cause as far as I was aware passwords were stored in the database in such a way you couldn’t read them.
Robust
Well-known member
Sounds a lot like security by obscurity. I would not call the XenForo version you're running "system data".
I *think* you can delete it. It's only really used for upgrades, and an upgrade would create a new install folder. There's no disadvantage to leaving it there and simply securing it. You can't use the system without a login any more than you can use the Admin CP without a login. Being upset about the install directory being left there is like being upset that the Admin CP exists. If you want additional security in those areas, you can use htpasswd or IP address limitations.
I believe you're referring to https://www.exploit-db.com/exploits/39849/
This is for XenAPI, a third party add-on that isn't endorsed by XenForo. As with all add-ons, you use them at your own risk. They're not certified by the XenForo team, as the disclaimer says (or did say, I can't seem to find it anymore).
I am yet to hear of an exploited XenForo installation by a security bug in the XenForo code, never mind an installation exploited by leaving the install directory unprotected or showing the XenForo version in an area that can be hidden from the public if you desire.
It doesn't need to be standard. If you're afraid of exploitation as a result of someone knowing your XenForo version then you can absolutely hide it yourself. But you've failed to address the point that, assuming a critical security issue pops up, people are going to try even if they don't know your version. To exploit a vulnerability you do not need to know the version someone's running.
