Hello:
In main access page of default larry theme can be seen as page footer "Roundcube Webmail 0.8-beta "
Once authorized, there is an "About" tag wich explains the Roundcube version installed and the plugins used.
All this info is useful for admin purposes but I think should not be shown to everyone, or should be less detailed.
¿Is there any easy way to hide this info shown in main page and in about tag in larry theme?
Thanks everybody in advance.
Auto-replying myself:
Just have to edit the /skins/larry/templates/about.html to show any other info when using the About tag.
El 16/07/2012 13:09, Juan Carlos Sanchez escribió:
Hello:
In main access page of default larry theme can be seen as page footer "Roundcube Webmail 0.8-beta "
Once authorized, there is an "About" tag wich explains the Roundcube version installed and the plugins used.
All this info is useful for admin purposes but I think should not be shown to everyone, or should be less detailed.
¿Is there any easy way to hide this info shown in main page and in about tag in larry theme?
Thanks everybody in advance.
this is a BAD default
usually distributions packaging roundcube and if this file is not flagged es config-noreplace any change gets overwritten on updates
for security reason no software has to cry out it's version to random robots and possible attackers as default!
Am 16.07.2012 13:23, schrieb Juan Carlos Sanchez:
Auto-replying myself:
Just have to edit the /skins/larry/templates/about.html to show any other info when using the About tag.
El 16/07/2012 13:09, Juan Carlos Sanchez escribió:
Hello:
In main access page of default larry theme can be seen as page footer "Roundcube Webmail 0.8-beta "
Once authorized, there is an "About" tag wich explains the Roundcube version installed and the plugins used.
All this info is useful for admin purposes but I think should not be shown to everyone, or should be less detailed.
¿Is there any easy way to hide this info shown in main page and in about tag in larry theme?
Thanks everybody in advance.
On Mon, Jul 16, 2012 at 1:23 PM, Juan Carlos Sanchez juancarlos.sanchez@upm.es wrote:
Auto-replying myself:
Just have to edit the /skins/larry/templates/about.html to show any other info when using the About tag.
There's a yet undocumented feature that allows you to extend the contents of the about dialog by creating a file named about.html within the config folder. You can even add localized versions by naming them for example about.de_DE.html.
The default contents, including the list of installed plugins should actually remain in there because some plugins which might be published under the AGPL license need a place to show a download link (that's a requirement of the AGPL).
~Thomas
El 16/07/2012 13:09, Juan Carlos Sanchez escribió:
Hello:
In main access page of default larry theme can be seen as page footer "Roundcube Webmail 0.8-beta "
Once authorized, there is an "About" tag wich explains the Roundcube version installed and the plugins used.
All this info is useful for admin purposes but I think should not be shown to everyone, or should be less detailed.
¿Is there any easy way to hide this info shown in main page and in about tag in larry theme?
Thanks everybody in advance.
On Mon, Jul 16, 2012 at 1:32 PM, Reindl Harald h.reindl@thelounge.net wrote:
this is a BAD default
usually distributions packaging roundcube and if this file is not flagged es config-noreplace any change gets overwritten on updates
for security reason no software has to cry out it's version to random robots and possible attackers as default!
That is a BAD argument! If somebody wants to find out the version of a Roundcube installation there are plenty of ways to do so, even without the version directly exposed.
On the other hand, we often get support requests where people cannot say what version of Roundcube they're using because it's not visible to the users.
~Thomas
Am 16.07.2012 13:23, schrieb Juan Carlos Sanchez:
Auto-replying myself:
Just have to edit the /skins/larry/templates/about.html to show any other info when using the About tag.
El 16/07/2012 13:09, Juan Carlos Sanchez escribió:
Hello:
In main access page of default larry theme can be seen as page footer "Roundcube Webmail 0.8-beta "
Once authorized, there is an "About" tag wich explains the Roundcube version installed and the plugins used.
All this info is useful for admin purposes but I think should not be shown to everyone, or should be less detailed.
¿Is there any easy way to hide this info shown in main page and in about tag in larry theme?
Thanks everybody in advance.
--
Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / CISO / Software-Development p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/
http://www.thelounge.net/signature.asc.what.htm
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Am 19.07.2012 13:59, schrieb Thomas Bruederli:
On Mon, Jul 16, 2012 at 1:32 PM, Reindl Harald h.reindl@thelounge.net wrote:
this is a BAD default
usually distributions packaging roundcube and if this file is not flagged es config-noreplace any change gets overwritten on updates
for security reason no software has to cry out it's version to random robots and possible attackers as default!
That is a BAD argument!
this NOT a bad argument
If somebody wants to find out the version of a Roundcube installation there are plenty of ways to do so, even without the version directly exposed
but it is more difficult
with your argumentation the Server-Header would also not be needed to find out the exact httpd version
"Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0j-fips"
it is proven by external security-audits that it is impossible to find out the httpd-version with nessus and other tools if you configure your machine peroperly
On the other hand, we often get support requests where people cannot say what version of Roundcube they're using because it's not visible to the users
so why the hell is there not a config file to enable/disable this instead put it in a default-template which gets randomly overwritten when you install roundcube per package-managment which is the case for most production environments
crying out the exactly installed version of a server software to foreign people is ALWAYS a very bad idea because it may abuse you if there is a known security problem and you are some days behind with updates for whatever reason (distribution lag, vacation, weekend)
On Thu, Jul 19, 2012 at 2:11 PM, Reindl Harald h.reindl@thelounge.net wrote:
Am 19.07.2012 13:59, schrieb Thomas Bruederli:
On Mon, Jul 16, 2012 at 1:32 PM, Reindl Harald h.reindl@thelounge.net wrote:
this is a BAD default
usually distributions packaging roundcube and if this file is not flagged es config-noreplace any change gets overwritten on updates
for security reason no software has to cry out it's version to random robots and possible attackers as default!
The version information has now been removed from the login screen. See https://github.com/roundcube/roundcubemail/commit/b6267dadb6717eae9f661d14dc...
Best, Thomas
Am 31.07.2012 16:48, schrieb Thomas Bruederli:
On Thu, Jul 19, 2012 at 2:11 PM, Reindl Harald h.reindl@thelounge.net wrote:
Am 19.07.2012 13:59, schrieb Thomas Bruederli:
On Mon, Jul 16, 2012 at 1:32 PM, Reindl Harald h.reindl@thelounge.net wrote:
this is a BAD default
usually distributions packaging roundcube and if this file is not flagged es config-noreplace any change gets overwritten on updates
for security reason no software has to cry out it's version to random robots and possible attackers as default!
The version information has now been removed from the login screen. See https://github.com/roundcube/roundcubemail/commit/b6267dadb6717eae9f661d14dc...
thank you!
On 2012-07-31 10:50 AM, Reindl Harald h.reindl@thelounge.net wrote:
Am 31.07.2012 16:48, schrieb Thomas Bruederli:
On Thu, Jul 19, 2012 at 2:11 PM, Reindl Haraldh.reindl@thelounge.net wrote:
for security reason no software has to cry out it's version to random robots and possible attackers as default!
The version information has now been removed from the login screen. See https://github.com/roundcube/roundcubemail/commit/b6267dadb6717eae9f661d14dc...
thank you!
Ummm... and for those who *want* to see the version information?
Choice is good, especially when changing long time defaults.
Den 2012-08-07 13:08, Charles Marcus skrev:
Ummm... and for those who *want* to see the version information? Choice is good, especially when changing long time defaults.
it could be hided only for not auth users and shown to login users that auth, google respect robots.txt ?
oh well i dont have roundcube on port 80 anymore
and google does not treverse 443 yet :=)
-
Benny Pedersen -
Charles Marcus -
Juan Carlos Sanchez -
Reindl Harald -
Thomas Bruederli