Tested. works fine!

Security Alert: I'm seeing this as adding a private information disclosure vulnerability. Giving the exact Joomla version out in a machine-readable format is imho not a good idea.

Security Alert: I'm seeing this as adding a private information disclosure vulnerability. Giving the exact Joomla version out in a machine-readable format is imho not a good idea.

I'd say it should be tied to the global setting where we can say to show the generator tag or not.

I don't see an issue with that - but I'm just fixing a bug. That's a separate feature/security fix and should have a separate PR

"1.6" as a constant was not giving too much details about the exact version of Joomla, beyond that it was post-1.5. That's something easy to guess off the site main page too.

So giving way more precise version is not a bug fix, but a new feature. Or thanks to the imho intended "bug" we were on the safe side. And at very least it should be outputed only if the setting to output the generator is set as @Bakual proposes.

Unwanted information leakage is a vulnerability per https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

By that account then, every version of Joomla ever released will always contain this type of vulnerability. Out of the box, the version number can easily be extracted, search administrator/manifests/files/joomla.xml.

Here's how I see it personally. If we are outputting a version number anywhere, it should be accurate; security through obscurity is stupid and while a version number will help some folks, others could care less and will just attack (you should see the logs for our issue tracker application and the number of CMS and WordPress based attacks that are attempted daily). If there's an application toggle to show/hide the version number in sources, it should apply to all locations equally; we have that so use it.

As I see it lets merge this (once it has the tests) if the Security Strike team feel there is an issue worth pursuing then let them go with it in the next release

@mbabker With all my due respect for all your great contributions, I believe that you are confusing "security by obscurity" with "sensitive information disclosure", where "precise versions of services" is classified as a Level-2 PCI-DSS Vulnerability, e.g.

PCI-DSS compliance is important for Joomla (and Joomla was passing it with proper Joomla and server settings), and that's why I'm mentioning it here: PCI-DSS compliance is required for E-commerce. So stopping to pass PCI-DSS is probably not open for discussion. Example reference document, see page 6 Level 2:
https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf

You can find similar mentions of exact version leakage refered to as a vulnerability on various authoritative security documents, e.g.:
https://www.owasp.org/index.php/Information_Leakage

I know too that there are lots of blind attacks, but there are also a lot which are much more sophisticated and less visible in the server logs.

Ok, don't want to sidetrack this, as we all agree that if there is a setting, it should apply, here it is:

At bottom of first tab "site" of global Joomla configuration, there is a setting "Show Joomla! Version" (default No).

Thus I conclude that you and @Bakual also agree that it should apply to the RSS feed too.

@wilsonge with all due respect for all your great contributions too, I'm one of the members of the Joomla Security Strike Team, and I'm opposing to this PR as is. I won't oppose it if the precise version is subject to the existing setting I mentioned above. Please amend your PR accordingly so that we are all happy .

Done.

Thanks George @wilsonge !
You have from me

I'm adding a small detail in a line comment.

@wilsonge Tested and OK. Updated the JC tracker to RTC.

from me source-code changes wise