What is your version?

A time ago when was asking some stuff on Cake’s IRC :) I heard a question like this:

Is there security holes or potential security risks in CakePHP?

The answer was like this:

This depends mostly on how you implement certain things. Also Cake doesn’t force you to include its signature, even if there exists security vulnerability, it’s harder to find Cake apps by typing “Powered by CakePHP” in Google. (like you can do with, for example, PhpBB)

Note: This isn’t the exact question/answer, just like I remember them. I don’t doubt Cake is secure/stable enough ;)

The first part of this answer is quite obvious – in terms of security, you may use a good tool to create insecure application.

The second part of the answer is quite interesting. That’s normally most opensource products have signature and version included to its public access area. Even if it is removed from template, it still may be available in meta tags or other places. Most popular software (like forum, blog, shopping scripts) has security bugs which require patches or version update. Updates are released on a regular basis, however I suppose there remains a big amount of sites using old versions of software due to different reasons (and thus – still vulnerable).

For example, my WordPress dashboard remainds me once a month about a security update. This requires me to download and install it, so I have to spend on this some amount of time every month. If I run 10 different blogs on 10 different hosting servers I have 10 times more work. That’s because of the version available to anyone. This doesn’t mean my blog becomes more protected from a hack if there is no version available, but in this case it wouldn’t be listed in Google and saying “please hack me”.

Btw, looks like Google tries to protect sites which use vulnerable scripts: this is what I got when tried to search for +”Powered by phpBB 2.0.6..10″ -phpbb.com -phpbb.pl (phpBB sql injection vulnerability, sourse). Yahoo doesn’t do it.

Decision: Site owner should always be well informed about software version, its security holes and ability to fix them, however, in order to make site more protected, there is no necessity to provide anyone with such information.

This entry was posted on Tuesday, February 5th, 2008 at 10:30 and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.





2 Responses to “What is your version?”

I know this if off topic but I’m looking into starting my own blog
and was wondering what all is needed to get set up?
I’m assuming having a blog like yours would cost a pretty penny?

I’m not very internet smart so I’m not 100% positive.

Any tips or advice would be greatly appreciated.
Cheers

I am truly pleased to glance at this webpage posts which includes lots
of helpful facts, thanks for providing these data.

Leave a Reply


required


required (will not be published)