I don't agree with you. Not everyone makes regular updates of their systems to match the latest available version, someone doesn't make updates at all. So the version of phpMyAdmin may (and surely will in the most cases) differ from the repository information. I constantly see various vulnerability scan attempts in the web server logs coming from around the net, most of the attempts to exploit popular vulnerable Web applications are performed when attacker knows an exact version number. Previously, in earlier phpMA 3.4.x versions, the version number has been disclosed right in the login page's title, fortunately it was fixed in time.
Втр 20 Сен 2011 11:57:07 +0400, Thijs Kinkhorst <th...@debian.org> написал: > On Tue, September 20, 2011 03:55, Moonwalker wrote: > > Package: phpmyadmin > > Version: 3.4.5-1 > > > > Documentation.html page of any phpMyAdmin installation discloses its > > version number to any user. Meanwhile, most of the documentation contents > > are actually useless for ordinary database users. I think you should > > consider removing it from public access through HTTP server. > > On Debian, the version number of phpMyAdmin is known anyway: > http://packages.debian.org/phpmyadmin > I do not believe that knowledge of the version number provides a > significant advantage to attackers since they can easily and in an > automated fashion just try the known exploits. Further hiding it is only > beneficial for a misplaced feeling of security. > > I think it's counter productive to remove documentation as long as it has > useful information. > > Cheers, > Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
