Plugin Leaking Version information

  • Resolved poopertropper

    (@poopertropper)


    6 years ago

    Our internal security team has flagged this plugin for production use because the plugin displays the version information within the HTML.

    While the threat is minimal, the idea behind version leaking is that hackers may be aware of a certain exploit based on version number and if they can get that version number it makes it easier to exploit

    https://www.techrepublic.com/blog/it-security/dont-leak-service-and-version-info-to-would-be-hackers-how-to-hide-it/

    Is there any reason to print out the version information? I’d rather not have to hack the module and remove it myself or worse uninstall completely so I was hoping to hear some feedback as to the need for printing version info.

    Wordpress does this as well, but luckily they give you an out to disable all version info from being public. Thoughts?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Hector Cabrera

    (@hcabrera)

    6 years ago

    Hi @poopertropper,

    Is there any reason to print out the version information?

    The version number is there mostly for debugging purposes.

    If someone really, really wanted to find out which version of any plugin you have installed on your site, they can still navigate to https://www.example.com/wp-content/plugins/plugin-name/readme.txt and they’ll instantly get all the information they need from said plugin. A similar approach can be taken to determine the version number of your current theme.

    The best thing anyone can do to keep attackers out is by making sure you’re running the latest version of everything: themes, plugins, WordPress core, PHP, MySQL, server’s OS, et cetera. (and even that way, they might still find a way in, so constant monitoring is a must.)

    WPP is open source and its code can be found on Github. If you ever find a security vulnerability, please make sure to let me know and I’ll look into it as soon as possible.

    Thread Starter poopertropper

    (@poopertropper)

    6 years ago

    I totally understand that, but unfortunately it is a requirement of the business to not allow any version information to leak into the publicly view-able HTML.

    Our theme is 100% custom and we’re able to remove wordpress version information with a simple hook, so I was hoping something else like this was available through WPP. However I totally understand your point of view and thank you for the feedback. I suppose we will just have to build our own popular post plugin for the time being. Thanks again!

    Plugin Author Hector Cabrera

    (@hcabrera)

    6 years ago

    Don’t mention it, @poopertropper.

    Our theme is 100% custom and we’re able to remove wordpress version information with a simple hook, so I was hoping something else like this was available through WPP.

    Well, there may be a workaround.

    I’m not 100% sure as I’m not near my computer right now, but I recall noticing that when hooking either into wpp_custom_html or wpp_post (don’t remember which one) the plugin wasn’t including the version number in the HTML output. I don’t remember if I ever fixed that or not, so you might want to give it a shot.

    I may add a simple check for WP_DEBUG, and if it’s enabled then all that info (version number, console.log messages, etc) will be available. Otherwise, well, it won’t be 😛

    Sounds fair enough?

    Thread Starter poopertropper

    (@poopertropper)

    6 years ago

    That would be amazing!

    Plugin Author Hector Cabrera

    (@hcabrera)

    6 years ago

    There you go, @poopertropper! You can either use the Github version of the plugin now or wait for a couple of weeks to get the official update.

    Thread Starter poopertropper

    (@poopertropper)

    5 years, 11 months ago

    You’re amazing!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Plugin Leaking Version information’ is closed to new replies.