[consulting] January gig for Forum and OG experienced developer

Greg Knaddison greg.knaddison at acquia.com
Sat Dec 31 22:50:30 UTC 2011


(Parding me going further OT).

The security exposure is there whether the .txt files are present or
not. Most automated spiders don't look for the CHANGELOG.txt, they
just probe for the vulnerability.

If you remove the .txt files then someone could just look at the .js
http://www.cognisync.com/misc/drupal.js
If you remove or obscure the .js then you could look at the css
http://www.cognisync.com/modules/system/system.css
If you remove/obscure the css then you could look at...something else

It's a long and silly road to go down, the end result of which is time
wasted and no additional security. Better is just to stay up to
date...

Here's a more thorough discussion of the idea
http://drupalscout.com/knowledge-base/hiding-fact-your-site-runs-drupal-or-fingerprinting-drupal-site

All that said, I personally worry about contrib/custom theme/module
code more than an outdated version of core. Most core bugs are
difficult to exploit compared to the fun stuff you can find in
contrib/custom theme/modules.

Regards,
Greg

On Sat, Dec 31, 2011 at 3:33 PM, Ms. Nancy Wichmann
<nan_wich at bellsouth.net> wrote:
> OMG! I always wondered why some people recommend moving those text files out
> of the root directory. Now I see the security exposure!
>
> Nancy
>
> Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King,
> Jr.
>
> ________________________________
> From: Steve Purkiss
>
> Don't forget about Number 5!
> http://www.cognisync.com/CHANGELOG.txt
>
>
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting
>



-- 
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggleshttp://acquia.com


More information about the consulting mailing list