<p>+1</p>
<div class="gmail_quote">On Dec 31, 2011 10:50 PM, "Greg Knaddison" <<a href="mailto:greg.knaddison@acquia.com">greg.knaddison@acquia.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
(Parding me going further OT).<br>
<br>
The security exposure is there whether the .txt files are present or<br>
not. Most automated spiders don't look for the CHANGELOG.txt, they<br>
just probe for the vulnerability.<br>
<br>
If you remove the .txt files then someone could just look at the .js<br>
<a href="http://www.cognisync.com/misc/drupal.js" target="_blank">http://www.cognisync.com/misc/drupal.js</a><br>
If you remove or obscure the .js then you could look at the css<br>
<a href="http://www.cognisync.com/modules/system/system.css" target="_blank">http://www.cognisync.com/modules/system/system.css</a><br>
If you remove/obscure the css then you could look at...something else<br>
<br>
It's a long and silly road to go down, the end result of which is time<br>
wasted and no additional security. Better is just to stay up to<br>
date...<br>
<br>
Here's a more thorough discussion of the idea<br>
<a href="http://drupalscout.com/knowledge-base/hiding-fact-your-site-runs-drupal-or-fingerprinting-drupal-site" target="_blank">http://drupalscout.com/knowledge-base/hiding-fact-your-site-runs-drupal-or-fingerprinting-drupal-site</a><br>
<br>
All that said, I personally worry about contrib/custom theme/module<br>
code more than an outdated version of core. Most core bugs are<br>
difficult to exploit compared to the fun stuff you can find in<br>
contrib/custom theme/modules.<br>
<br>
Regards,<br>
Greg<br>
<br>
On Sat, Dec 31, 2011 at 3:33 PM, Ms. Nancy Wichmann<br>
<<a href="mailto:nan_wich@bellsouth.net">nan_wich@bellsouth.net</a>> wrote:<br>
> OMG! I always wondered why some people recommend moving those text files out<br>
> of the root directory. Now I see the security exposure!<br>
><br>
> Nancy<br>
><br>
> Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King,<br>
> Jr.<br>
><br>
> ________________________________<br>
> From: Steve Purkiss<br>
><br>
> Don't forget about Number 5!<br>
> <a href="http://www.cognisync.com/CHANGELOG.txt" target="_blank">http://www.cognisync.com/CHANGELOG.txt</a><br>
><br>
><br>
> _______________________________________________<br>
> consulting mailing list<br>
> <a href="mailto:consulting@drupal.org">consulting@drupal.org</a><br>
> <a href="http://lists.drupal.org/mailman/listinfo/consulting" target="_blank">http://lists.drupal.org/mailman/listinfo/consulting</a><br>
><br>
<br>
<br>
<br>
--<br>
Director Security Services | <a href="tel:%2B1-720-310-5623" value="+17203105623">+1-720-310-5623</a><br>
Skype: greg.knaddison | <a href="http://twitter.com/greggles" target="_blank">http://twitter.com/greggles</a> | <a href="http://acquia.com" target="_blank">http://acquia.com</a><br>
_______________________________________________<br>
consulting mailing list<br>
<a href="mailto:consulting@drupal.org">consulting@drupal.org</a><br>
<a href="http://lists.drupal.org/mailman/listinfo/consulting" target="_blank">http://lists.drupal.org/mailman/listinfo/consulting</a><br>
</blockquote></div>