SUBRTX Posted January 16, 2021 Posted January 16, 2021 I'm not a admin or mod...just curious. Maybe I could find any info from page source?...😟
DawPi Posted January 16, 2021 Posted January 16, 2021 boardurl.com/applications/core/data/versions.json christopher-w, xdrox, xtech and 5 others 6 2
DawPi Posted January 16, 2021 Posted January 16, 2021 @SUBRTX, why you are confused? I've replied you. SUBRTX 1
xtech Posted January 16, 2021 Posted January 16, 2021 (edited) In important rule of (cyber) security is: don't expose more than what is strictly needed. I would deny the access to that file. What's the point of letting anyone to know what is the version you use? To know if a certain exploit can be used or that a vulnerability is present? You certainly don't want to provide rogue actors that valuable information. Edited January 16, 2021 by xtech SUBRTX, DamonT and aia 2 1
SUBRTX Posted January 16, 2021 Author Posted January 16, 2021 1 hour ago, DawPi said: @SUBRTX, why you are confused? I've replied you. I got it now, thanks!
CoffeeCake Posted January 16, 2021 Posted January 16, 2021 That is pretty cray. Why is that a thing? Does something rely on that file?
Jock3r Posted January 17, 2021 Posted January 17, 2021 (edited) That's something I actually did not know myself. I have restricted access to that file. Same thing goes for applications/forums/data/versions.json etc. (e.g calendars, commerce) Edited January 17, 2021 by Jock3r Linux-Is-Best 1
bfarber Posted January 18, 2021 Posted January 18, 2021 On 1/16/2021 at 2:32 PM, Paul E. said: That is pretty cray. Why is that a thing? Does something rely on that file? Not via the web, no. If you wish to block web access to it you can.
CoffeeCake Posted January 24, 2021 Posted January 24, 2021 On 1/18/2021 at 9:22 AM, bfarber said: Not via the web, no. If you wish to block web access to it you can. Do any of the json and xml files need to be accessible? I'm thinking we just blanket block any requests for those files.
bfarber Posted January 25, 2021 Posted January 25, 2021 No, those files don't need to be web accessible necessarily for the software to run correctly.
CoffeeCake Posted January 25, 2021 Posted January 25, 2021 3 hours ago, bfarber said: No, those files don't need to be web accessible necessarily for the software to run correctly. Well, they've been relegated to the bowels of 404 then. Thank you. 🙂 We've been on the receiving end of a coordinated attack for the past few days, whose efforts are seemingly trying to cause SQL injections by submitting bad parameters to all sorts of things. They have been pulling these URLs as part of their attack. We've handled the evildoers through our firewalls, but good reminder to think about what needs to be exposed and what doesn't.
Jordan Miller Posted January 29, 2021 Posted January 29, 2021 No one's going to mention 4.6? 🙃 SUBRTX 1
aXenDev Posted January 29, 2021 Posted January 29, 2021 8 minutes ago, Jordan Invision said: No one's going to mention 4.6? 🙃 Because isn't released 4.5.5 yet.
Jordan Miller Posted January 29, 2021 Posted January 29, 2021 4 minutes ago, aXenDev said: Because isn't released 4.5.5 yet. Lol I know just joshin 🐒 aXenDev 1
CoffeeCake Posted January 29, 2021 Posted January 29, 2021 1 hour ago, Jordan Invision said: No one's going to mention 4.6? 🙃 Vaporware until released, and then patched, and maybe patched two more times. Instead, #46:
Jordan Miller Posted January 29, 2021 Posted January 29, 2021 26 minutes ago, Paul E. said: Vaporware until released, and then patched, and maybe patched two more times. Instead, #46: I don't quite know what this means but just fyi y'all there is no 4.5.5 - the next release is 4.6 =]
CoffeeCake Posted January 29, 2021 Posted January 29, 2021 2 minutes ago, Jordan Invision said: I don't quite know what this means About 73% of what I say is smatterings of nonsense, mixed with a pinch of glerp. 😄 Thomas P 1
Jordan Miller Posted January 29, 2021 Posted January 29, 2021 13 minutes ago, Paul E. said: About 73% of what I say is smatterings of nonsense, mixed with a pinch of glerp. 😄 We love a glerp 😅
SUBRTX Posted January 29, 2021 Author Posted January 29, 2021 26 minutes ago, Jordan Invision said: I don't quite know what this means but just fyi y'all there is no 4.5.5 - the next release is 4.6 =] I'm on 4.4, should I wait for 4.6?! ETA?
CoffeeCake Posted January 29, 2021 Posted January 29, 2021 6 minutes ago, SUBRTX said: I'm on 4.4, should I wait for 4.6?! ETA? You should very carefully test an upgrade to 4.5 on a separate test copy of your 4.4 community. There are many significant changes in 4.4 to 4.5 and if you use any third-party plugins, themes, applications, translations, etc., things may no longer work, or require reengineering. Going from 4.4 to 4.6 will be at least as painful as 4.4 to 4.5, likely worse. It will include all of the changes from 4.4 to 4.5 and whatever else has been done since then. Best practice would be to backup your database and file storage before any upgrade, maintain a testing environment, and validate that the upgrade works as expected in test, that your dependencies work as expected, and that any add-ons you have in 4.4 upgrade correctly, and are functioning in 4.5. If you'd like to do all that in an upgrade from 4.4 to 4.6, the same recommended practices would apply. SUBRTX 1
Colonel_mortis Posted January 30, 2021 Posted January 30, 2021 (edited) On 1/29/2021 at 10:24 PM, Jordan Invision said: I don't quite know what this means but just fyi y'all there is no 4.5.5 - the next release is 4.6 =] I realise this ship has probably long since sailed, but we're 3 months into 4.5.4, and there's a decent pile of bugs, including a currently unpatched security related one, that have piled up in that time. Is there any chance we can have a 4.5.5 release to fix some of those bugs, rather than watching 4.6 stretch further and further out? I pushed for the features to be included in 4.6 rather than 4.5.5, but I did not intend for that to be at the expense of the timely release of other changes. (I also recognise wanting to give staff a break etc, but we're well into 2021 now, and surely having more bugs fixed would reduce their load anyway?) Edited January 31, 2021 by Colonel_mortis CoffeeCake, aXenDev and SUBRTX 2 1
CoffeeCake Posted January 31, 2021 Posted January 31, 2021 7 hours ago, Square Wheels said: How do I block this file? Depending on your web server, make rules to deny access (404 or 403 errors) the files you don't want served to the public.
Square Wheels Posted January 31, 2021 Posted January 31, 2021 12 minutes ago, Paul E. said: Depending on your web server, make rules to deny access (404 or 403 errors) the files you don't want served to the public. Using cPanel, I found Error Pages, I see this as a 404 page, but not sure how to edit it. I tried adding my page outside of the edit marks, but it didn't block the page. <!-- <!-- -->
CoffeeCake Posted January 31, 2021 Posted January 31, 2021 15 hours ago, Square Wheels said: Using cPanel, I found Error Pages, I see this as a 404 page, but not sure how to edit it. I tried adding my page outside of the edit marks, but it didn't block the page. <!-- <!-- --> This would be done most easily by modifying your web server's configuration (apache, nginx, etc.) If you use an .htaccess file, you could do it here. This web site uses terms like cPanel and htaccess and may be helpful you get you in the right direction. Replace the extensions they care about with xml and json: https://www.inmotionhosting.com/support/website/htaccess-prevent-filetype/
Recommended Posts