Serendipity Forums

Hello together,

i found an blog with s9y 1.1.3 and i think there are many bug for this version. If someone had an exploit for this version, so this blog is in danger.

I think the version number is uninteresting.

I would say in the future version it is better to write only Serendipity without version number for security reason

Many greetings

Marcus Radisch

Hi!

For us developers the version number is often important to help debug things. Many unexpereicned users often do not know which version they are using, and it has been a tremendous help for our forum support up to know.

If one does not want version strings, he can set the $serendipity['expose_s9y'] variable to false.

Also, security through obscurity does not really hinder the impact - hackers would still simply attack a site with known exploits, not even taking the time to check a version.

I agree that removing a version number can tighten security, but IMHO the benefits for usual users are higher to not have that be the default s9y option.


Best regards,
Garvin

Hi,

garvinhicking wrote:If one does not want version strings, he can set the $serendipity['expose_s9y'] variable to false.

It looks like the Powered-By meta tag is hardcoded in most templates and it doesn't depend on the expose_s9y variable. I think think that is what Marcus was refering to.

Regards,
Stefan

Hi!

It looks like the Powered-By meta tag is hardcoded in most templates and it doesn't depend on the expose_s9y variable. I think think that is what Marcus was refering to.

The s9y core takes care of setting $serendipity['version'] to a string that no longer contains the version number. So once this expose_s9y variable is set, the version is also no longer exposed in any template.

Regards
Garvin

Hello together,

i would say we should set up an developement guide where such things are defined. e. g. no version numbers in templates

Bye

Marcus Radisch