View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008764 | mantisbt | security | public | 2008-01-17 14:00 | 2008-08-11 09:42 |
Reporter | patmfitz | Assigned To | grangeway | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 1.2.0a2 | ||||
Summary | 0008764: Remove mantis version number from publicly searchable pages | ||||
Description | I wonder if it is a security vulnerability to publicly display the version of Mantis that you are running? Take this scenario:
To prevent this, it would be better to not display the version number on publicly accessible pages, and instead put it on an administrative page that is password protected. | ||||
Tags | No tags attached. | ||||
It does allow users who know enough about Mantis to determine what features are available to them. However, there is a configurable option to disabel showing the Mantis version: set $g_show_version = OFF in your config_inc.php file, and the version information will be hidden on all pages. |
|
What we can do is to disable the display of the version in the following scenarios:
|
|
Thanks for the info and the great software! |
|
Hello Thank you for taking the time to report a problem with mantis. A Possible Fix for this issue has been commited to SVN, for inclusion in the 1.2.0a2 release due within the next few weeks. If you are able to reproduce this bug in the 1.2.0a2 release, or SVN trunk code, Please change the status back to "Open", or open a new issue report with more information. Again, thank you for your continued support and report. |
|