WebApp Sec mailing list archives
removing version identifying attribution data
From: Robin Wood <dninja () gmail com>
Date: Thu, 4 Mar 2010 00:32:10 +0000
With a lot of open source web apps there is usually some kind of file or comment block in the code that identifies the author and gives attribution. The problem with most of these is that they end up leaking information about the version of the app being used. I'm very keen on keeping attribution in place and wouldn't want to release software without giving due credit but at the same time I'd rather not expose my clients to data leakage which I could easily control by removing all, or at least part, of the attribution. The three general options I can see are: * leave as is and if there is a vuln found hope you can patch before the bad guys scan and find your site - battle potential google dorks * modify the included file or comment block to cut the information down to a minimum - either a lot of manual work or search and replace job depending on how consistent the info is * remove all attribution but put in place a file offering full disclosure to anyone who asks for the information - doesn't credit the authors directly which would annoy me if it were my code What do others do about this? Robin This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- removing version identifying attribution data Robin Wood (Mar 04)