[RCU] hide install details 0.8

Reindl Harald h.reindl at thelounge.net
Thu Jul 19 14:11:12 CEST 2012

Am 19.07.2012 13:59, schrieb Thomas Bruederli:
> On Mon, Jul 16, 2012 at 1:32 PM, Reindl Harald <h.reindl at thelounge.net> wrote:
>> this is a BAD default
>> usually distributions packaging roundcube and
>> if this file is not flagged es config-noreplace
>> any change gets overwritten on updates
>> for security reason no software has to cry out
>> it's version to random robots and possible
>> attackers as default!
> That is a BAD argument! 

this NOT a bad argument

> If somebody wants to find out the version of a
> Roundcube installation there are plenty of ways 
> to do so, even without the version directly exposed

but it is more difficult

with your argumentation the Server-Header would also not be
needed to find out the exact httpd version

"Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0j-fips"

it is proven by external security-audits that it is impossible
to find out the httpd-version with nessus and other tools if
you configure your machine peroperly

> On the other hand, we often get support requests where people cannot
> say what version of Roundcube they're using because it's not visible
> to the users

so why the hell is there not a config file to enable/disable this
instead put it in a default-template which gets randomly overwritten
when you install roundcube per package-managment which is the case
for most production environments

crying out the exactly installed version of a server software to foreign
people is ALWAYS a very bad idea because it may abuse you if there is a
known security problem and you are some days behind with updates for
whatever reason (distribution lag, vacation, weekend)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.roundcube.net/pipermail/users/attachments/20120719/f893f910/attachment.sig>

More information about the users mailing list