I don’t think the Discourse version is show anywhere (except to the admin on the Dashboard), why not add it to the /about page?
I’m currently researching Discourse usage and would be interested to see which version site admins are running.
To a normal user this would let them know which forum software is being used.
I guess it would not hurt, especially when Discourse already provides its version in HTML’s <head>
:
<meta name="generator" content="Discourse 1.3.0.beta4 - https://github.com/discourse/discourse version 7d5b8de1f8f2360524b8bc959c59064dcbe85c16">
I don’t think, this is a good idea.
It’s fine, if the version number is in the meta tags, there’s no difference between that and putting it on the about page.
I’ve seen some administrators disable software version numbers in HTTP responses, others go further and recompile Apache to identify as Microsoft’s IIS or Nginx to pretend to be Apache [sic].
This is a part of something known as
It gives no protection against directed attacks, but usually mitigate a big chunk of automated threats performed by inexperienced/unmotivated adversaries.
I guess @terraboss’ concern is that script-kiddies would crawl the web and look for a specific Discourse versions with known vulnerability and execute an exploit if version is low enough (unpatched installations).
This was/is the main concern for phpBB installations.
In this context it would be beneficial to add an option to /admin
that controls displaying Discourse version (in <meta>
and /about
).
That being said, we probably want to follow example of Nginx and others and keep it enabled by default (version visible).
Indeed. That’s exactly my concern. Real hackers are able to exploit any (web) application. But today, in my experience, we have to deal more and more with bored scipt kiddys and low secured default setups. Discourse is currently in beta state but it’s pretty well maintained. I’m running daily upgrades.
As long as most admins would do the same, there is no need for security through obscurity.
That’s just my opinion. There are even more settings (dns, firewall, ssl, database, login, kvm, …) to get a secure system, And backups won’t be bad at all.
The Discourse version is included in all HTML responses, though. So this wouldn’t be revealing anything extra.
Having the discourse version in HTML responses is actually quite different than stating it in an about page. Individuals looking to specify specific versions of vulnerable software tend to look for a specific string of text on a page via a search engine. If this information were present on the about page, you could quickly generate a list of tons of sites running softwave y, version x.z.
A response in the header? Not so much.
The /about content isn’t visible to search engines, you would need to parse /about.json.
Besides, its open source software you can easily fingerprint JS/CSS payloads and get a rather accurate payload -> version map.
This may not help the average (whatever that is) user, but here’s a simple JavaScript that will get the Discourse version:
verStr = document.querySelector('meta[name="generator"]').content.match(/\w+[ ]+[\d\.]+/)[0];
verStr
You could run this script from several tools:
- AppleScript
- JavaScript for Automation (JXA)
- Keyboard Maestro
- Browser bookmarklet
- others?
I’ve tested it only in Chrome, so I can’t vouch for other browsers, but it should work in Safari.