Joomla Version Number and Google Webmaster Tools
Mark Dexter
Here's how it works.
1. WordPress by default puts the full version number in the metadata, similar to what we do (
<meta name="generator" content="Joomla! 1.5 - Open Source Content Management" />) except with the full version (for example 1.5.23).
2. WordPress notifies Google when a new version is released or when an old version reaches end of life.
3. When the Google crawler finds a site that should be updated and is registered in Webmaster Tools, Google sends a message via Webmaster Tools to the site admin notifying them that the site should be updated. (If the site is not registered with Webmaster Tools, nothing happens.)
One important advantage of this approach is that site admins can have their Webmaster Tools messages forwarded to them via email. So they can be notified about updates without having to visit or log in to the sites.
The only change we would need to do to enable this would be to put the full version in a meta element. Some people have expressed concern that this is a security risk. Google and WordPress (and most security people I've talked to) think the benefits of update notification are far greater than any risk. (Evidently most hackers just try to run an exploit and don't bother checking for software versions. Also the full version number is already exposed in the administrator/manifests/files/joomla.xml file.)
The PLT thinks it would be a good thing to do. If enough people are concerned about it, we could add a global configuration parameter that would allow people to not expose the version. Even without a parameter, anyone could write a simple plugin to alter or remove the metadata.
My first choice would be to simply add the version number in the metadata without another parameter. My second choice would be to add it in with a parameter (with a default value of showing the version number).
What do other people think about this? Thanks.
Mark Dexter
Nils Rückmann
Niels Braczek
Regards,
Niels
--
| http://barcamp-wk.de · 1. Barcamp Westküste 30./31. März 2012 |
| http://www.bsds.de · BSDS Braczek Software- und DatenSysteme |
| Webdesign · Webhosting · e-Commerce · Joomla! Content Management |
------------------------------------------------------------------
Hannes Papenberg
adds/removes the whole generator tag. Or go a step further and make it a
super simply plugin that you can enable/disable. Enabled by default.
Hannes
> --
> You received this message because you are subscribed to the Google
> Groups "Joomla! CMS Development" group.
> To post to this group, send an email to joomla-...@googlegroups.com.
> To unsubscribe from this group, send email to
> joomla-dev-cm...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
Matt Thomas
Best,
Matt Thomas
Twitter: @betweenbrain
Rouven Weßling
I do find it amusing that we just went trough quite a bit of trouble with 2.5.0 and 2.5.1 to hide the version number for unauthorised vistors.
On 09.02.2012, at 19:55, Hannes Papenberg wrote:
> Like it. Maybe the best way would be to add a global parameter that
> adds/removes the whole generator tag. Or go a step further and make it a
> super simply plugin that you can enable/disable. Enabled by default.
There are already extensions out there that allow you to hide the generator tag, I don't see why we have to suck it into the core.
Rouven
Mike Carson
their owners? Would this be a potential risk for making the sites an
easier target for those exploiting vulnerabilities?
Regards,
Mike Carson
Rouven
--
Mike Carson
exact same thing internally on the site itself.
I'm going to use Akeeba Backup as an example. It has a built in update
email notification. So when there is a new version of Akeeba Backup then
the site sends an email to the site administrator notifying then that a
new update is available. This is a very nice feature. Why couldn't the CMS
have an update notification plugin that works in a cronless manner and is
just triggered when the site gets a visit and then sends out the email
notifications that there is an update available.
Regards,
Mike Carson
-----Original Message-----
From: joomla-...@googlegroups.com
[mailto:joomla-...@googlegroups.com] On Behalf Of Rouven Weßling
Sent: Thursday, February 09, 2012 1:05 PM
To: joomla-...@googlegroups.com
Subject: Re: [jcms] Joomla Version Number and Google Webmaster Tools
Rouven
--
Matt Thomas
Best,
Matt Thomas
Twitter: @betweenbrain
Ken Ballou
Andrea Tarr at Tarr Consulting
Mike Carson
I’m sure there are pros and cons about how you do this in any manner.
The site has to do a call home to somewhere to check version numbers no matter what way you implement it.
I think it’s worth discussing though. And personally I think that we need to keep security as a number one concern with making it easy to find out the version number of any given site.
Regards,
Mike Carson
Mark Dexter
@Ken: With the present update check, we only check the site once per day.
As far as doing this with a plugin, we could certainly do that but it seems like a lot of code and fuss for such a small thing.
Mark
Hannes Papenberg
I'm not talking about a plugin to hide it, but to remove that completely from the core (I think its in JDocumentHTML) and instead add the tag with that plugin. So if you want to hide the generator tag, you simply disable that plugin, instead of adding a new plugin. The version number would just be a fixed part of that tag.
Hannes Papenberg
If Google crawls your site, sees the version and sends you a reminder, no one has to do any more work than currently is done. Neither your site would "phone home" nor would you query Joomla.org.
Niels Braczek
> How would this affect security for sites that are not regularly updated by
> their owners? Would this be a potential risk for making the sites an
> easier target for those exploiting vulnerabilities?
On these sites, the plugin can be disabled. The benefit of these alerts
are greater than the risk.
Ken Ballou
@Mike: I agree that email notification would be a good feature to look at for core. I think it could be done with a CLI application running from a cron job. However, I don't think that would be a reason not to implement the proposed Google method as well. The more ways we have to let people know about updates, the better in my opinion.
@Ken: With the present update check, we only check the site once per day.
Mike Carson
OK I do agree with you that the more way of notifying people, the better. But let’s be realistic here, people are LAZY! If they are too lazy to sign up for the security mailing list on the download page of Joomla.org where notifications get sent out, then the chances are also extremely high that they are also going to be too lazy to sign up for the Google notifications as well. I think that if we lived in a euphoric world where everyone took advantage of all the notification efforts that have been put in place then we wouldn’t have to worry about it. But reality is that some people need to be hit upside the head with a 2x4 board before you can get their attention. This is why I think it would be better if the emails come from the site itself. If people got notifications about updates from the site itself they would feel much more of an urgency to update the site because it is more of a personal tie to the site. And for those who build and maintain a lot of sites like we do, I would want to have to try to remember to go log the URL in Google every time for the updates notifications.
Also another PRO to this is that if the site itself notified ALL super users that an update is available, then you would have a much larger chance of the site getting updated when multiple persons are notified.
Just my thoughts to ponder.
Regards,
Mike Carson
Integrated Technology & Design Inc.
Your Web Solutions Partner
http://itdwebdesign.com
1-888-760-0878
The information contained in this e-mail message, and any attachment, is confidential and may not be disclosed without our express permission. If you are not the intended recipient or agent responsible for delivering this message to the intended recipient, you are hereby notified that you have received this message in error and that any review, dissemination, distribution, forwarding or copying of this message, and any attachment, in whole or in part, is strictly prohibited. If you have received this message in error, please immediately notify us by telephone, fax or e-mail and delete the message and all of its attachments. Thank you.
Webdongle
On Thursday, 9 February 2012 19:27:01 UTC, Hannes Papenberg wrote:
I'm not talking about a plugin to hide it, but to remove that completely from the core (I think its in JDocumentHTML) and instead add the tag with that plugin. So if you want to hide the generator tag, you simply disable that plugin, instead of adding a new plugin. The version number would just be a fixed part of that tag.
Am 09.02.2012 20:04 schrieb "Rouven Weßling" <m...@rouvenwessling.de>:
I'm also in favor.
I do find it amusing that we just went trough quite a bit of trouble with 2.5.0 and 2.5.1 to hide the version number for unauthorised vistors.
On 09.02.2012, at 19:55, Hannes Papenberg wrote:
> Like it. Maybe the best way would be to add a global parameter that
> adds/removes the whole generator tag. Or go a step further and make it a
> super simply plugin that you can enable/disable. Enabled by default.
There are already extensions out there that allow you to hide the generator tag, I don't see why we have to suck it into the core.
Rouven
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To post to this group, send an email to joomla-dev-cms@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cms+unsubscribe@googlegroups.com.
Mark Dexter
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/3jRwMK9czhMJ.
To post to this group, send an email to joomla-...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cm...@googlegroups.com.
Brad Gies
+1
I really like the idea, but only if there IS A PARAMETER for at least
the first version. I don't mind if the default is on or off, but if some
security hole is discovered, you really want site admins to be able to
turn it off, although I agree that the benefits far outweigh the risks.
Brad.
> --
> You received this message because you are subscribed to the Google
> Groups "Joomla! CMS Development" group.
> To post to this group, send an email to joomla-...@googlegroups.com.
> To unsubscribe from this group, send email to
> joomla-dev-cm...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
--
Sincerely,
Brad Gies
----------------------------------------------
bgies.com maxhomevalue.com
idailythought.com greenfarminvest.com
----------------------------------------------
Sam Moffatt
but if someone is really after your site they'll just open up with a
broad base of attacks that might stick to see what is vulnerable and
work from there. In a sense publicly disclosing the version number is
an issue but in a much more real sense hiding it isn't going to stop
someone just probing the site and hitting exploit points anyway.
If anything all they really care about is if it is Joomla! or not so
they can pick their attack toolkit. From there running through every
vuln from 1.0 to now really isn't a problem for your average script
kiddie, just a matter of time.
Cheers,
Sam Moffatt
http://pasamio.id.au
Alex Andreae
and more notification is better.
My only feedback is that I think a parameter is the best idea. Adding
it as a plugin doesn't really have any benefit and moving everything
to system plugins is slowly becoming overwhelming. This would be
implemented with a simple/fast "if ($config->get('show;)) $doc-
>addCustomTag('blah');". With a system plugin, with every page load,
you're adding extra CPU time and memory overhead for construction,
adding to the array of plugins, the execution for this plugin for each
onAfter event, etc.
Eventually, all the system plugins do add up, and it's also getting
hard to manage all the disparate System plugins which do different
things. Since there's no grouping, this will get lost and frankly be
harder to find than necessary.
In short, this seems like a perfect setting for the "Site" global
config area and not as a plugin :)
Alex
Andrew Eddie
Mark Dexter
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=28026.
Please test and comment. Thanks. Mark
Andrew Eddie
to change the generator however they want and put a %d in for the
version number.
But why is this in the feature tracker? Can't it just go into 2.5.2
rather than waiting for 3.0?
Regards,
Andrew Eddie
http://learn.theartofjoomla.com - training videos for Joomla 1.7 developers
Mark Dexter
As far as making it a free-form field, Google needs to know how to find the version number. If we make it too flexible, will they be able to find it?
My thinking for this patch was to keep it simple. Also, I figured if people want to do something other than the standard message (with or without version), they can always do a plugin (in which case it won't work with Webmaster tools).
In any case, I put in the patch as a starting point. If someone wants to propose a different solution, that's great. Just create a patch and we can discuss and pick the option that people think makes the most sense.
Thanks. Mark
Beat
-1 on html output of version.
+1 on emails to Super Users for Joomla AND Joomla extensions' security
releases:
May I remind that most Joomla sites do not use Google Webmaster tools
of "Pros" ? Maybe 0.1 % ?
Do we really want to obviously lower the security of 99.9% of sites to
doubtfully increase the one of 0.1% ?
Versions disclosures are still considered Vulnerabilities in PCI-DSS
and most security scanners.
E.g. I'm using it only for sites where it does really matter. And for
those sites, I'm already using other notifications methods to be sure
they stay up-to-date not only Joomla-wise, but also with all
extensions. The real issue is not with main sites, but with side-sites
(e.g. hobby sites, local associations and other things we all do for
free to help our families, friends and communities) and where we don't
always have the time to manage properly and tend to forget.
I'm throwing here just an alternate suggestion:
It would really be 1000x more efficient to build into Joomla auto-
updater daily mails that email to the site's super users when Joomla
AND/OR Joomla Extensions have upgrades that have the tag "security" in
the <tags> of the update url. That way, clear instructions on how to
press the update button in Joomla backend, possibly with direct url to
go there would help the "newbees" that you are trying to protect with
Google's "Pros" webmaster tools.
VirtualMin's scripts installer has this great feature to email either
once when it becomes available, or on a daily basis to hosting
customers when a new (e.g. Joomla) script becomes available, including
a link to do a 1-button upgrade.
Imho, doing same in Joomla would be much better than making Joomla
even more not PCI-DSS compliant out of the box...
Best Regards,
Beat
http://www.joomlapolis.com/
On Feb 11, 2:40 am, Mark Dexter <dextercow...@gmail.com> wrote:
> It's in the feature tracker because it is a new feature. That doesn't mean
> it can't go into 2.5.2. I hope it will. We've put other features in for dot
> releases.
>
> As far as making it a free-form field, Google needs to know how to find the
> version number. If we make it too flexible, will they be able to find it?
>
> My thinking for this patch was to keep it simple. Also, I figured if people
> want to do something other than the standard message (with or without
> version), they can always do a plugin (in which case it won't work with
> Webmaster tools).
>
> In any case, I put in the patch as a starting point. If someone wants to
> propose a different solution, that's great. Just create a patch and we can
> discuss and pick the option that people think makes the most sense.
>
> Thanks. Mark
>
>
>
>
>
>
>
> On Fri, Feb 10, 2012 at 5:17 PM, Andrew Eddie <mambob...@gmail.com> wrote:
> > I've suggested it should be a text field, not a boolean. Allow people
> > to change the generator however they want and put a %d in for the
> > version number.
>
> > But why is this in the feature tracker? Can't it just go into 2.5.2
> > rather than waiting for 3.0?
>
> > Regards,
> > Andrew Eddie
> > developers
> > On 11 February 2012 10:16, Mark Dexter <dextercow...@gmail.com> wrote:
> > > I've created a Feature Tracker issue and patch here:
>
> > .
Sam Moffatt
Webmaster Tools than are likely to need to meet PCI standards
compliance. PCI is realistically only a requirement for those
merchants personally handling credit card data directly themselves and
not relying upon a third party for any handling. However if you are
one of those people, you turn the feature to display your version off
and then anyone who isn't pulling in card data has the ability to get
updated by Google (perhaps because they're not selling something or
they're using someone like PayPal or Stripe or any number of other
merchant solutions that themselves handle that information).
Essentially if you're in that situation of attempting PCI compliance
you've got to do more than just change an option in Joomla!.
Additionally where do you make the basis for the assertion that only
0.1% of Joomla site could find this useful? The only people with this
information would be Google, are you saying you work for Google now?
More over last time I checked it was free to sign up to their
Webmaster Tools which makes it accessible to almost anyone with a web
front end. If you're using Google Analytics already on the same Google
account, when adding your domain to Google Webmaster Tools it can use
the Google Analytics async tracking code to verify. And I feel more
than 0.1% of people are using Google Analytics.
Cheers,
Sam Moffatt
http://pasamio.id.au
David-Andrew
Terrance Arthur
-1 for enabled by default
This is a pretty good solution for a serious drawback to Joomla!
However, and I don't mean to hijack the thread, but why can't the extension manager be made to do this without the need to sign up at Google? Seems like the parts are already there just need some way to schedule checks and alert admins if updates are found. But what do I know I am brand new to Joomla! development.
I'd like to vote for this being disabled by default since it is only useful if I use Google Webmaster Tools. If I don't use Google Webmaster Tools and/or if I make an effort to run as secure a site as I can then I will want to disable this plugin which makes enabling it by default tantamount to adding one more chore to my Joomla! site setup list.
+1 on the whole idea. Its a new feature, so I would say put it in 3.0 (x.x.X are bug fix releases), but Im very religious about versioning.If people don't take the time to hide the output for security reasons (most don't) then it can't do any harm to e-mail them that there version is out of date. Most people download and install and build and never think about it again, this way they get at least a note.
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/tTJG0Gp8vNoJ.
Rouven Weßling
Rouven
Terrance W. Arthur
After more thought I don't think this should be done at all.
Enabling the plugin by default doesn't sign me up for google webmasters tools and add the site in question to my GWT account. And unless I am wrong these are two prerequisites to get any benefit from this plugin.
So, given all that work, no way this helps the lazy or forgetful.
Can't we just add onto the extension manager and leave Google out of it
Terry
On Feb 15, 2012, at 3:54 PM, Rouven Weßling <m...@rouvenwessling.de> wrote:
> Personally I think if we don't enable this by default we might as well not do it at all. This would be mostly helpful for sites you kinda forgot about (yeah happens) and for those people who aren't (semi-)professional site builders. If you know what you're doing than you don't need this. This would be for the rest of our users and I'm afraid they wouldn't turn it on (or even find it in the first place)
>
> Rouven
>
> --
> You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
Hannes Papenberg
hosts that Joomla is running on are ... I don't know a word that is
strong enough and at the same time not offensive. Yes, serious sites run
on serious hosts, but those are not the ones that we are talking about.
Joomla has a large userbase with serious, well-maintained sites, however
the number of installations done by amateurs on freehosters is
magnitudes larger than the number of serious websites. This is not
really that bad, all FOSS CMS/blogging software out there suffers from
this issue, but the baseline is: You can't trust the hoster to have any
capability besides running PHP 4.0. Everything above that (PHP 5.2/5.3,
writable folders, PHP extensions that are part of PHP 5.2, but were not
in PHP4 and thus have been disabled by the hoster during compilation
time) is a bonus and can not be expected. We raised the bar already a
lot by requiring PHP 5.2.something and JSON support and a few other
things, but especially in the area of server-to-server communication
(free)hosters are very restrictive.
Besides that point, there is a huge difference between those two
approaches. The first one means that someone else is going to your site,
reads the data and then sends you a mail, the other means that your
server calls a potential single point of failure, revealing your site to
the Joomla server. The difference is, that in the first case, Google has
to find you (which it most likely does anyway) and only if someone knows
that your site exists, the whole process takes effect. In the second
case, the Joomla installation announces its presence by itself. Simply
thinking about a situation like in Egypt, Syria or Iran, this could
potentially be life threatening. If I were an evil dictator and had the
power over all outgoing internet traffice, I'd simply re-route all the
automatic update checks of Joomla sites to my server and thus would know
about all Joomla sites there are right after installation, discovering
oppositional websites and having the possibility to take actions against
it before anybody even knows about them.
Hannes
Am 15.02.2012 21:41, schrieb Terrance Arthur:
> +1 for the idea
> -1 for enabled by default
>
> This is a pretty good solution for a serious drawback to Joomla!
>
> However, and I don't mean to hijack the thread, but why can't the
> extension manager be made to do this without the need to sign up at
> Google? Seems like the parts are already there just need some way to
> schedule checks and alert admins if updates are found. But what do I
> know I am brand new to Joomla! development.
>
> I'd like to vote for this being disabled by default since it is only
> useful if I use Google Webmaster Tools. If I don't use Google
> Webmaster Tools and/or if I make an effort to run as secure a site as
> I can then I will want to disable this plugin which makes enabling it
> by default tantamount to adding one more chore to my Joomla! site
> setup list.
>
> Terry Arthur
>
>
> On Wed, Feb 15, 2012 at 3:12 PM, David-Andrew
> <chillcr...@gmail.com <mailto:chillcr...@gmail.com>> wrote:
>
> +1 on the whole idea. Its a new feature, so I would say put it in
> 3.0 (x.x.X are bug fix releases), but Im very religious about
> versioning.
>
> If people don't take the time to hide the output for security
> reasons (most don't) then it can't do any harm to e-mail them that
> there version is out of date. Most people download and install and
> build and never think about it again, this way they get at least a
> note.
> --
> You received this message because you are subscribed to the Google
> Groups "Joomla! CMS Development" group.
> To view this discussion on the web, visit
> https://groups.google.com/d/msg/joomla-dev-cms/-/tTJG0Gp8vNoJ.
> To post to this group, send an email to
> joomla-...@googlegroups.com
> <mailto:joomla-...@googlegroups.com>.
> To unsubscribe from this group, send email to
> joomla-dev-cm...@googlegroups.com
> <mailto:joomla-dev-cms%2Bunsu...@googlegroups.com>.
> For more options, visit this group at
> http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Joomla! CMS Development" group.
raramuridesign
Mark Dexter
Testers welcome. Thanks. Mark
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/P2_w7hB0C-IJ.
Kim Anderson
Thank you Mark ~
I love when I learn about companies that are in the place of “the fire that needs no wood” for the good of all ~ and to keep things a more even playing field ~
Are you in New York?
Kim
Too much of a good thing is wonderful.
-Mae West
From: joomla-...@googlegroups.com [mailto:joomla-...@googlegroups.com] On Behalf Of Mark Dexter
Sent: Monday, February 20, 2012 7:49 AM
To: joomla-...@googlegroups.com
Mark Simpson
$document->setGenerator('');
$document->setGenerator('Acme CMS');
$document->setGenerator('Acme CMS');
$document->setGenerator('Acme CMS', true);
name="generator" content="Acme CMS"
name="generator" content="Acme CMS 2.5.1"
Terrance Arthur
Terry Arthur
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/selFSrMyyqAJ.
raramuridesign
Marius van Rijnsoever
critical security information to all browsers. If a security flaw is
discovered in a future joomla version, anybody can use google to get a
list of vulnerable sites or just check the html header to see if they
can hack that Joomla site.
This "feature patch" would introduce a "information disclosure"
security bug that will make Joomla much less secure.
Please do not implement this. Thanks Marius
Mark Dexter
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
Marius van Rijnsoever
I respectfully voice a difference of opinion. Just because wordpress
does it, does not mean my concerns are invalid. Rather than dismissing
my post with "someone else disagrees with you", it would be beneficial
to reply to my actual voiced concerns.
Just to quote the "The Web Application Security Consortium"
"Software version numbers and verbose error messages (such as ASP.NET
version numbers) are examples of improper server configuration"
http://projects.webappsec.org/w/page/13246936/Information%20Leakage
There is a lot of information on "version disclosure" issues when you
use google:
"EVERY security specialist will tell you that you should never
disclose details, versions, configurations - NEVER if you
can avoid it"
The web is "littered" with articles on "good security practise" that
highlight that production servers should ->never<- display version
numbers.
http://securitythoughts.wordpress.com/2011/03/30/how-to-modify-apache-coyote1-1-banner/
Even google on its blogs indicates that this "version disclosure" can
do harm, but believe the good outweighs the bad. I'll guide you
through my analysis of this:
The issue: People do not update their joomla versions
Proposed solution: Publicly disclose joomla version to everyone, ask
people to register with 3rd party (google), who will scan the web and
email you when a version is outdated.
Version disclosure is bad for a couple of reasons (feel free to discuss these)
1. Once a new joomla vulnerability becomes known, you can get a list
of specific joomla sites that you can hack (just google "joomla
2.5.6")
2. Rather than a hacker having to try joomla hacks by "brute force",
he can just look ath the html header to see if a joomla sites has
vulnerabilities.
I am not saying the issue of "people do not upgrade their joomla
sites" does not exists.
I am saying the solution of "disclosing version, registering with
google, depending on google to email Joomla users to upgrade" is the
wrong solution.
There are many plugin in the JED that solve the same issue in a better
way. Joomla version checks are done periodically automatically and the
Joomla install itself emails the administrator directly (yes I know
about the other issues about using a front-end triggered cron system).
The argument "you can disable it through global config" also is
problematic. 99.9% of people will not change this setting. Therefore
if this is enabled by default peoples version is disclosed
automatically even if they have not got a google webmastertools
account, and therefore are more vulnerable without being protected by
googles "email notifications.
I am not trying to be disrespectful of other people (please do not
take this personal). I just really do not want to see this implemented
by default, as this does have security implications (and better ways
of fixing "the issue" are available)
Thanks, Marius
Mark Dexter
It seems to me that we have a situation where some people prefer vanilla and others prefer chocolate. In that type of situation, having a configuration option seems like a reasonable compromise. To me, it is unreasonable to insist that everyone have vanilla and to forbid people who prefer chocolate to have chocolate.
Mark
Marius van Rijnsoever
I wish it was as simple as vanilla vs chocolate.
Scenario 1: your patch enabled by default
Information disclosure for 99% of joomla users, who do not get updates from joomla as they do not use webmaster tools. 1% of webmaster tools automatically get update emails.
Scenario 2: your patch disabled by default.
99% of joomla users still not protected. The 1% of webmaster tools users are saved the hassle of downloading a plunging from the jed, as they go to the global config instead.
Either way it does not solve the issue and just makes us feel warm and fuzzy by making us believe we solved it.
The only way to solve the issue is for joomla itself to automatically email the admin when a new version is available. This will protect 100% of users without relying on people using 3rd party services and without helping hackers
Sent from my galaxy S2
Rouven Weßling
1. Once a new joomla vulnerability becomes known, you can get a list
of specific joomla sites that you can hack (just google "joomla
2.5.6")
Sam Moffatt
attacks thrown at sites I maintain. Extensions I've never installed,
until a couple of years ago the odd mosconfig line was in my logs as
well.
As for automatically emailing users, we've got that. It's called the
announcements forum. You subscribe to it and you get email updates.
There are a few non-release announcements in that forum however for
the most part they're releases.
If that's not interesting there is a feed:
http://www.joomla.org/announcements/release-news/
You can pick that up, have that emailed to you as well. Has all sorts
of juicy details.
You can get security updates here:
http://www.joomla.org/download.html
You're asking for something that exists literally in triplicate.
And again, we don't know if it is 1% or 10% of Joomla! sites that
utilise Google Webmaster Tools. Almost anyone doing SEO will likely
have put their site through Google Webmaster Tools to see what it can
tell them as well (if anything it'll tell you when you've got broken
links). I'd like to see if we can get a number from Google of what
percentage of sites they crawl and identify are Joomla and also
utilise Webmaster Tools.
Putting the version number doesn't magically prevent your site, would
barely slow even the laziest script kiddie and certainly isn't going
to prevent any one more dedicated. There are lots of little ways to
work out the Joomla! version without much difficulty however
realistically the version is inconsequential, you just care if the
vulnerability works.
I fail to see how putting an option in, I believe presently disabled
by default, is such an issue. Even if it was enabled by default it
doesn't magically make your site more insecure just as hiding it
doesn't make your site magically more secure. The reality is it makes
precious little difference apart from deluding yourself that the bad
guys won't be able to attack you because they don't know what version
you're running. It's just another form of theatre, they'll just scan
for the vulnerabilities directly and take out the side anyway.
And by denying this we just short changed those 140,000 users who
might have been notified through yet another mechanism as well. That's
conservatively 1% of 14 million downloads. Again, we don't have
numbers so it could potentially be much more.
@Mark: could you request a number from Google of how many Joomla sites
they index (roughly) and what percentage are tied to Google Webmaster
Tools? Additionally those tied to Google Analytics would be useful as
well since you can get to Google Webmaster Tools with GA as well.
Cheers,
Sam Moffatt
http://pasamio.id.au
Michael Babker
When I get e-mails from users of my extensions and the issue sounds like
something because of a bad J! update or using an older version of J! or my
extensions, I'm usually able to confirm this by loading manifest XML's on
those websites. Those XML files are just as much of a disclosure as the
proposed change to the generator tag, but lets be honest here; how many
folks have taken measures to protect unwanted access to those files too?