[WEB SECURITY] Information leakage about version of the system

MustLive mustlive at websecurity.com.ua
Sun Feb 28 13:59:53 EST 2010


Hello participants of Mailing List.

This month I wrote a series of articles "Information leakage about version
of the system" (http://websecurity.com.ua/3970/). This is English version of
the prologue of the article. If you'll decide to read articles for more
details, than you can do it with help of Google Translate 
(http://translate.google.com/translate?hl=en&ie=UTF-8&u=http://websecurity.com.ua/3970/&sl=uk&tl=en).

Showing of version of the system - it's widespread function in web
applications and web systems. Many different engines show (in different way)
information about version of the system and this capability of engines is a
vulnerability. It's information leakage about version of the system, which
can be used for attack on the sites, which are using this engine.

Such information leakage can be dangerous, if a vulnerability was found in
some version of the system, and so information leakage about version can be
used for attack on this system. That is why it's better to not allow
information leakage about version of used web system. Besides, this rule
also concerns server software (such as web server and DBMS), it's also
better to not show their versions.

As I planned already from 2008, I showed an examples of Information Leakage
vulnerabilities in different web applications, which lead to information
leakage about version of the system (or server software).

In first part of the article Information leakage about version of the system
(http://websecurity.com.ua/3970/) I wrote about different Information
Leakage vulnerabilities in next web applications: WordPress, Nucleus, Power
Phlogger, YaBook, Pigalle. As leakages of version of the system, as leakages
of versions of PHP, MySQL and web server (in case of Power Phlogger, YaBook
and Pigalle).

In second part of the article (http://websecurity.com.ua/3974/) I wrote
about different Information Leakage vulnerabilities in next web
applications: Drupal, TYPO3, Joomla, pMachine Pro, ExpressionEngine.

And I'll continue this work and will publish new information leakages about
versions of other web applications in new articles.

P.S.

Information leakages about versions of web applications is widespread,
considered low risk and mostly ignored as by web developers (who made such
vulnerabilities), as by administrators of web sites. For this reason I never
wrote to web developers about such vulnerabilities in their web
applications, only in case of leakages of information about server software
(like in case of such webapps as Power Phlogger, YaBook and Pigalle).

So I prepared many of such vulnerabilities in different webapps (which I
found during last years) to publish them in series of the articles. Which
designed to draw attention of web developers, admins of web sites and
security community to this issue. So you can read these articles, if this
topic is interesting for you.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list