I'm not a admin or mod...just curious.

Maybe I could find any info from page source?...😟

boardurl.com/applications/core/data/versions.json

 

@SUBRTX, why you are confused? I've replied you.

 

In important rule of (cyber) security is: don't expose more than what is strictly needed.

I would deny the access to that file.

What's the point of letting anyone to know what is the version you use? To know if a certain exploit can be used or that a vulnerability is present? You certainly don't want to provide rogue actors that valuable information.

 

Edited January 16, 20214 yr by xtech

 

@SUBRTX, why you are confused? I've replied you.

 

I got it now, thanks!

That is pretty cray. Why is that a thing? Does something rely on that file?

That's something I actually did not know myself. I have restricted access to that file. Same thing goes for applications/forums/data/versions.json etc. (e.g calendars, commerce)

Edited January 17, 20214 yr by Jock3r

 

That is pretty cray. Why is that a thing? Does something rely on that file?

Not via the web, no. If you wish to block web access to it you can.

 

Not via the web, no. If you wish to block web access to it you can.

Do any of the json and xml files need to be accessible? I'm thinking we just blanket block any requests for those files.

No, those files don't need to be web accessible necessarily for the software to run correctly.

 

No, those files don't need to be web accessible necessarily for the software to run correctly.

Well, they've been relegated to the bowels of 404 then. Thank you. 🙂

We've been on the receiving end of a coordinated attack for the past few days, whose efforts are seemingly trying to cause SQL injections by submitting bad parameters to all sorts of things. They have been pulling these URLs as part of their attack.

We've handled the evildoers through our firewalls, but good reminder to think about what needs to be exposed and what doesn't.

No one's going to mention 4.6? 🙃

 

No one's going to mention 4.6? 🙃

Because isn't released 4.5.5 yet.

 

 

Because isn't released 4.5.5 yet.

 

Lol I know just joshin 🐒 

 

No one's going to mention 4.6? 🙃

Vaporware until released, and then patched, and maybe patched two more times.

Instead, #46:

 

Vaporware until released, and then patched, and maybe patched two more times.

Instead, #46:

I don't quite know what this means but just fyi y'all there is no 4.5.5 - the next release is 4.6 =]

 

I don't quite know what this means

About 73% of what I say is smatterings of nonsense, mixed with a pinch of glerp. 😄

 

About 73% of what I say is smatterings of nonsense, mixed with a pinch of glerp. 😄

We love a glerp 😅

 

I don't quite know what this means but just fyi y'all there is no 4.5.5 - the next release is 4.6 =]

I'm on 4.4, should I wait for 4.6?! ETA?

 

I'm on 4.4, should I wait for 4.6?! ETA?

You should very carefully test an upgrade to 4.5 on a separate test copy of your 4.4 community. There are many significant changes in 4.4 to 4.5 and if you use any third-party plugins, themes, applications, translations, etc., things may no longer work, or require reengineering.

Going from 4.4 to 4.6 will be at least as painful as 4.4 to 4.5, likely worse. It will include all of the changes from 4.4 to 4.5 and whatever else has been done since then.

Best practice would be to backup your database and file storage before any upgrade, maintain a testing environment, and validate that the upgrade works as expected in test, that your dependencies work as expected, and that any add-ons you have in 4.4 upgrade correctly, and are functioning in 4.5.

If you'd like to do all that in an upgrade from 4.4 to 4.6, the same recommended practices would apply.

How do I block this file?

 

I don't quite know what this means but just fyi y'all there is no 4.5.5 - the next release is 4.6 =]

I realise this ship has probably long since sailed, but we're 3 months into 4.5.4, and there's a decent pile of bugs, including a currently unpatched security related one, that have piled up in that time. Is there any chance we can have a 4.5.5 release to fix some of those bugs, rather than watching 4.6 stretch further and further out? I pushed for the features to be included in 4.6 rather than 4.5.5, but I did not intend for that to be at the expense of the timely release of other changes. (I also recognise wanting to give staff a break etc, but we're well into 2021 now, and surely having more bugs fixed would reduce their load anyway?)

Edited January 31, 20214 yr by Colonel_mortis

 

How do I block this file?

Depending on your web server, make rules to deny access (404 or 403 errors) the files you don't want served to the public.

 

Depending on your web server, make rules to deny access (404 or 403 errors) the files you don't want served to the public.

Using cPanel, I found Error Pages, I see this as a 404 page, but not sure how to edit it.  I tried adding my page outside of the edit marks, but it didn't block the page.

 

<!-- 
                               
<!-- 
         
--> 

 

Using cPanel, I found Error Pages, I see this as a 404 page, but not sure how to edit it.  I tried adding my page outside of the edit marks, but it didn't block the page.

 

<!-- 
                               
<!-- 
         
--> 

This would be done most easily by modifying your web server's configuration (apache, nginx, etc.)

If you use an .htaccess file, you could do it here.

This web site uses terms like cPanel and htaccess and may be helpful you get you in the right direction. Replace the extensions they care about with xml and json:

https://www.inmotionhosting.com/support/website/htaccess-prevent-filetype/