Jump to content

How do I know if a website is using 4.4 or 4.5?

SUBRTX

By SUBRTX
in General Questions

 Share

Recommended Posts

xtech Proficient

xtech

Posted
Posted (edited)

In important rule of (cyber) security is: don't expose more than what is strictly needed.

I would deny the access to that file.

What's the point of letting anyone to know what is the version you use? To know if a certain exploit can be used or that a vulnerability is present? You certainly don't want to provide rogue actors that valuable information.

 

Edited by xtech
Jock3r Enthusiast

Jock3r

Posted
Posted (edited)

That's something I actually did not know myself. I have restricted access to that file. Same thing goes for applications/forums/data/versions.json etc. (e.g calendars, commerce)

Edited by Jock3r
bfarber Grand Master

bfarber

Posted
Posted
On 1/16/2021 at 2:32 PM, Paul E. said:

That is pretty cray. Why is that a thing? Does something rely on that file?

Not via the web, no. If you wish to block web access to it you can.

CoffeeCake Veteran

CoffeeCake

Posted
Posted
On 1/18/2021 at 9:22 AM, bfarber said:

Not via the web, no. If you wish to block web access to it you can.

Do any of the json and xml files need to be accessible? I'm thinking we just blanket block any requests for those files.

CoffeeCake Veteran

CoffeeCake

Posted
Posted
3 hours ago, bfarber said:

No, those files don't need to be web accessible necessarily for the software to run correctly.

Well, they've been relegated to the bowels of 404 then. Thank you. 🙂

We've been on the receiving end of a coordinated attack for the past few days, whose efforts are seemingly trying to cause SQL injections by submitting bad parameters to all sorts of things. They have been pulling these URLs as part of their attack.

We've handled the evildoers through our firewalls, but good reminder to think about what needs to be exposed and what doesn't.

Jordan Miller Grand Master

Jordan Miller

Posted
Posted
26 minutes ago, Paul E. said:

Vaporware until released, and then patched, and maybe patched two more times.

Instead, #46:

Election 2020 Reaction GIF by CBS News

I don't quite know what this means but just fyi y'all there is no 4.5.5 - the next release is 4.6 =]

SUBRTX Collaborator

SUBRTX

Posted
  • Author
Posted
26 minutes ago, Jordan Invision said:

I don't quite know what this means but just fyi y'all there is no 4.5.5 - the next release is 4.6 =]

I'm on 4.4, should I wait for 4.6?! ETA?

CoffeeCake Veteran

CoffeeCake

Posted
Posted
6 minutes ago, SUBRTX said:

I'm on 4.4, should I wait for 4.6?! ETA?

You should very carefully test an upgrade to 4.5 on a separate test copy of your 4.4 community. There are many significant changes in 4.4 to 4.5 and if you use any third-party plugins, themes, applications, translations, etc., things may no longer work, or require reengineering.

Going from 4.4 to 4.6 will be at least as painful as 4.4 to 4.5, likely worse. It will include all of the changes from 4.4 to 4.5 and whatever else has been done since then.

Best practice would be to backup your database and file storage before any upgrade, maintain a testing environment, and validate that the upgrade works as expected in test, that your dependencies work as expected, and that any add-ons you have in 4.4 upgrade correctly, and are functioning in 4.5.

If you'd like to do all that in an upgrade from 4.4 to 4.6, the same recommended practices would apply.

Colonel_mortis Experienced

Colonel_mortis

Posted
Posted (edited)
On 1/29/2021 at 10:24 PM, Jordan Invision said:

I don't quite know what this means but just fyi y'all there is no 4.5.5 - the next release is 4.6 =]

I realise this ship has probably long since sailed, but we're 3 months into 4.5.4, and there's a decent pile of bugs, including a currently unpatched security related one, that have piled up in that time. Is there any chance we can have a 4.5.5 release to fix some of those bugs, rather than watching 4.6 stretch further and further out? I pushed for the features to be included in 4.6 rather than 4.5.5, but I did not intend for that to be at the expense of the timely release of other changes. (I also recognise wanting to give staff a break etc, but we're well into 2021 now, and surely having more bugs fixed would reduce their load anyway?)

Edited by Colonel_mortis
Square Wheels Experienced

Square Wheels

Posted
Posted
12 minutes ago, Paul E. said:

Depending on your web server, make rules to deny access (404 or 403 errors) the files you don't want served to the public.

Using cPanel, I found Error Pages, I see this as a 404 page, but not sure how to edit it.  I tried adding my page outside of the edit marks, but it didn't block the page.

 

<!-- 
                               
<!-- 
         
--> 

CoffeeCake Veteran

CoffeeCake

Posted
Posted
15 hours ago, Square Wheels said:

Using cPanel, I found Error Pages, I see this as a 404 page, but not sure how to edit it.  I tried adding my page outside of the edit marks, but it didn't block the page.

 

<!-- 
                               
<!-- 
         
--> 

This would be done most easily by modifying your web server's configuration (apache, nginx, etc.)

If you use an .htaccess file, you could do it here.

This web site uses terms like cPanel and htaccess and may be helpful you get you in the right direction. Replace the extensions they care about with xml and json:

https://www.inmotionhosting.com/support/website/htaccess-prevent-filetype/

 

 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...