[Trac-tickets] Re: [The Trac Project] #2691: Trac shouldn't
announce version number
The Trac Project
noreply at edgewall.com
Thu Feb 2 15:34:30 CST 2006
#2691: Trac shouldn't announce version number
--------------------------+-------------------------------------------------
Reporter: matt at mafr.de | Owner: jonas
Type: defect | Status: new
Priority: high | Milestone:
Component: general | Version: 0.9.3
Severity: major | Resolution:
Keywords: security |
--------------------------+-------------------------------------------------
Comment (by anonymous):
"Security by obscurity", funny. Sure, hiding the version number doesn't
fix security leaks, but announcing to the world (and yes, that's what
you're doing) that you're running a possibly vulnerable software package
is like putting a sign on your front door: "key under the mat".
Securityfocus lists 9 (!) security related issues with trac, I'm sure they
were not the last ones.
Fingerprinting via google is done a lot these days, that's why so many web
bulletin boards are hacked each day. Please, don't make your users easy
targets.
There are still 172 vulnerable tracs out there, although the last serious
bug was fixed a month ago. A lot of time for attackers.
--
Ticket URL: <http://projects.edgewall.com/trac/ticket/2691>
The Trac Project <http://trac.edgewall.com/>
More information about the Trac-Tickets
mailing list