[consulting] January gig for Forum and OG experienced developer
Steve Purkiss
steve at purkiss.com
Sat Dec 31 22:58:09 UTC 2011
+1
On Dec 31, 2011 10:50 PM, "Greg Knaddison" <greg.knaddison at acquia.com>
wrote:
> (Parding me going further OT).
>
> The security exposure is there whether the .txt files are present or
> not. Most automated spiders don't look for the CHANGELOG.txt, they
> just probe for the vulnerability.
>
> If you remove the .txt files then someone could just look at the .js
> http://www.cognisync.com/misc/drupal.js
> If you remove or obscure the .js then you could look at the css
> http://www.cognisync.com/modules/system/system.css
> If you remove/obscure the css then you could look at...something else
>
> It's a long and silly road to go down, the end result of which is time
> wasted and no additional security. Better is just to stay up to
> date...
>
> Here's a more thorough discussion of the idea
>
> http://drupalscout.com/knowledge-base/hiding-fact-your-site-runs-drupal-or-fingerprinting-drupal-site
>
> All that said, I personally worry about contrib/custom theme/module
> code more than an outdated version of core. Most core bugs are
> difficult to exploit compared to the fun stuff you can find in
> contrib/custom theme/modules.
>
> Regards,
> Greg
>
> On Sat, Dec 31, 2011 at 3:33 PM, Ms. Nancy Wichmann
> <nan_wich at bellsouth.net> wrote:
> > OMG! I always wondered why some people recommend moving those text files
> out
> > of the root directory. Now I see the security exposure!
> >
> > Nancy
> >
> > Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L.
> King,
> > Jr.
> >
> > ________________________________
> > From: Steve Purkiss
> >
> > Don't forget about Number 5!
> > http://www.cognisync.com/CHANGELOG.txt
> >
> >
> > _______________________________________________
> > consulting mailing list
> > consulting at drupal.org
> > http://lists.drupal.org/mailman/listinfo/consulting
> >
>
>
>
> --
> Director Security Services | +1-720-310-5623
> Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/consulting/attachments/20111231/eb413019/attachment.html
More information about the consulting
mailing list