[#15769] - [4.0][Security] Remove Statistics from default install on frontend
- Closed
- 18 Aug 2017
- Medium
- Build: master
- # 15769
Steps to reproduce the issue
Install Joomla 4
go to http://joomla4/index.php/statistics
Expected result
that I am not telling the world - by default - my version numbers, how many users my site has and how popular Im not.
Actual result
joomla-cms-bot
- | Labels |
Added:
?
|
||
franz-wohlkoenig
- | Category | ⇒ | com_modules Front End |
| Status | New | ⇒ | Discussion |
This is because of a small confusion/bug in the installer. (I will address this in a PR)
Joomla 4. currently only has one sample data set and this is the old sample_testing.sql file which is never shipped in Joomla so the report here is not exactly as described.
The statistics module is never created on a live install of Joomla.
There is however a valid issue that it might be considered a security information disclosure if a site owner does publish the module but that would probably go into the "hack yourself" category.
The statistics module is never created on a live install of Joomla.
The current Joomla 4 installer - accepting all the defaults - installs this module with public access.
Someone installing Joomla 4 on a server somewhere = a live install of Joomla = this module being available
Joomla 4 looks years away, so lets hope people only install it locally for now.
I am going to close this. Joomla 4 should not be installed on a live server and this module is only published with the test data that is never distributed
| Status | Discussion | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-08-18 10:57:56 |
| Closed_By | ⇒ | brianteeman |
Perhaps the statistic module should be removed (or excluded like the weblinks) at all?
I do not see any purpose in a module where I can fake my clicks and show my server information in the frontend...