0008764: Remove mantis version number from publicly searchable pages - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0008764	mantisbt	security	public	2008-01-17 14:00	2008-08-11 09:42

Reporter	patmfitz	Assigned To	grangeway
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Fixed in Version	1.2.0a2

Summary	0008764: Remove mantis version number from publicly searchable pages
Description	I wonder if it is a security vulnerability to publicly display the version of Mantis that you are running? Take this scenario: a security flaw is located in Mantis 1.5; you fix the flaw and publish Mantis 1.6; a hacker does a Google search for mantis 1.5 and finds all of the sites that have not upgraded to 1.6 To prevent this, it would be better to not display the version number on publicly accessible pages, and instead put it on an administrative page that is password protected.
Tags	No tags attached.

jreese 2008-01-17 14:50 reporter ~0016702	It does allow users who know enough about Mantis to determine what features are available to them. However, there is a configurable option to disabel showing the Mantis version: set $g_show_version = OFF in your config_inc.php file, and the version information will be hidden on all pages.

vboctor 2008-01-17 15:09 manager ~0016704	What we can do is to disable the display of the version in the following scenarios: $g_show_version == OFF Logged user is anonymous (such pages are accessible to search engines by design). No user logged in (e.g. login_page), however, this will probably be covered by 2.

patmfitz 2008-01-17 15:16 reporter ~0016705	Thanks for the info and the great software!

grangeway 2008-07-28 13:29 reporter ~0018724	Hello Thank you for taking the time to report a problem with mantis. A Possible Fix for this issue has been commited to SVN, for inclusion in the 1.2.0a2 release due within the next few weeks. If you are able to reproduce this bug in the 1.2.0a2 release, or SVN trunk code, Please change the status back to "Open", or open a new issue report with more information. Again, thank you for your continued support and report.