[consulting] security of CHANGELOG.txt
Morbus Iff
morbus at disobey.com
Mon Sep 28 23:07:51 UTC 2009
> I think it is good to remove it. You don't need with with Drupal
> status pages telling you version info in the system. It just gives
> hackers more info to narrow down the exploits needed to hack a site/
> app. I have noticed that most of the large/well-known Drupal sites
You can remove it - there's no problem with that. However, you're
gaining absolutely nothing security-wise. There are sniffers out there
that can detect what version you're running just by the outputs of your
site. Similarly, most exploitation kits will test hundreds of exploits
on your system *regardless of what version you have*. In actuality, it
*takes too much work to find out what version you have* - most kits just
through the whole sink at your site, in hopes that something works.
--
Morbus Iff ( anything else in the box, pandora? )
Technical: http://www.oreillynet.com/pub/au/779
Enjoy: http://www.disobey.com/ and http://www.videounderbelly.com/
aim: akaMorbus / skype: morbusiff / icq: 2927491 / jabber.org: morbus
More information about the consulting
mailing list