[#24372] - Remove version information from various libraries
- Closed
- 27 Mar 2019
- Very low
- Build: staging
- # 24372
A customer of ours had his Joomla! website being scanned for vulnerabilities. Among other findings, the consultant suggested to remove version information from various 3party libraries used by Joomla!
I agree with this suggestion and therefore submit this issue here. That respective version information could for example be stored in a central "3rd-Party Libraries - Versions used.txt" file. I am listing a few libraries where the consultant explicitly suggested to conceal the version information, but of course there are many more instances:
/media/vendor/jquery/js/jquery.js
/media/vendor/jquery/js/jquery.min.js
/media/vendor/jquery-migrate/js/js-migrate.js
/media/vendor/jquery-migrate/js/js-migrate.min.js
/media/vendor/jquery-ui/js/jquery.ui.core.js
/media/vendor/jquery-ui/js/jquery.ui.core.min.js
/media/vendor/jquery-ui/js/jquery.ui.sortable.js
/media/vendor/jquery-ui/js/jquery.ui.sortable.min.js
Based on nightly build:
"Joomla_4.0.0-alpha8-dev-Development-Full_Package.zip"
Wednesday, 27 March 2019 02:00:45 UTC
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Title |
|
||||||
| Priority | Medium | ⇒ | Very low | ||||
| Status | New | ⇒ | Information Required | ||||
Changed Title as Priority is assigned at Issue Tracker (https://issues.joomla.org/tracker/joomla-cms/24372).
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24372.
@zero-24
Of course you are right this is only a small increase in security (makes it more expensive to "scan the web for vulnerable software").
But if it were completely useless, then why was the version number removed from the Joomla " " tag? I kind of remember that in Joomla 1.5 the detailed version number was indeed shown. Also modern "Apache" webservers do identify themselfs only as "Apache" and no longer as "Apache 2.4.10 debian" or something like that.
I could indeed go on naming respective examples.
the "tag" was removed, sorry:
meta name="generator" content="Joomla! - Open Source Content Management"
| Status | Information Required | ⇒ | Discussion |
| Category | ⇒ | Libraries |
This should be closed as won't fix. At no point should third party code be altered by Joomla. Depending on how version information is exposed, removing it has the potential of breaking code that uses it (i.e. if a library has its version number in a variable or function somewhere, removing that causes code that might parse and use that version info for something to not function correctly).
File a bug report with jQuery if you feel they should take steps to remove version identifiers from their files.
| Status | Discussion | ⇒ | Information Required |
Closing for the reason by Michael didn't noticed they are all from the vendor folder ;)
| Status | Information Required | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-03-27 12:20:58 |
| Closed_By | ⇒ | zero-24 |
| Labels |
Removed:
?
|
||
| Labels |
Added:
?
|
||
Hi @schultz-it-solutions
why would removing version information protect your site? As you are still using an vulnerable version and by just checking the hash of the file the version can be detected.