Am 19.07.2012 13:59, schrieb Thomas Bruederli:
On Mon, Jul 16, 2012 at 1:32 PM, Reindl Harald h.reindl@thelounge.net wrote:
this is a BAD default
usually distributions packaging roundcube and if this file is not flagged es config-noreplace any change gets overwritten on updates
for security reason no software has to cry out it's version to random robots and possible attackers as default!
That is a BAD argument!
this NOT a bad argument
If somebody wants to find out the version of a Roundcube installation there are plenty of ways to do so, even without the version directly exposed
but it is more difficult
with your argumentation the Server-Header would also not be needed to find out the exact httpd version
"Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0j-fips"
it is proven by external security-audits that it is impossible to find out the httpd-version with nessus and other tools if you configure your machine peroperly
On the other hand, we often get support requests where people cannot say what version of Roundcube they're using because it's not visible to the users
so why the hell is there not a config file to enable/disable this instead put it in a default-template which gets randomly overwritten when you install roundcube per package-managment which is the case for most production environments
crying out the exactly installed version of a server software to foreign people is ALWAYS a very bad idea because it may abuse you if there is a known security problem and you are some days behind with updates for whatever reason (distribution lag, vacation, weekend)