1

If an open source web application is publishing the version via a public, non-access controlled API/Header, is it considered a security issue?

The premise of the question is that, if a particular version had a vulnerability which was fixed in a later release, attackers could target the vulnerable version if it is public.

This is similar to other web servers (like nginx, express) etc setting a header like X-Powered-By: Express/1.0.

Shahidh
  • 111
  • 3
  • I'm not sure attackers actually care about the reported software versions. I often see traces of totally unrelated attacks in access logs of web applications, for example I see WordPress exploits tried on static websites, or Joomla exploits on WordPress websites. This seems to imply that often automated attacks don't care to check versions, but they go straight to checking if an exploit works. – reed Jan 09 '19 at 10:26

2 Answers2

1

It's generally considered an unnecessary risk, yes. There is no need to make things easy for the automated vuln scanners or worms, much less an intelligent attackers. Legit users have no use for the information, developers / sysadmins can examine the server or connect to some internal-only diagnostic page with more info, and you'll save a smidgen of bandwidth to boot.

CBHacking
  • 42,359
  • 3
  • 76
  • 107
1

Hiding your server’s version information would be a form of security by obscurity. Sure it won’t hurt, but I would not really consider it a security issue.

An attacker can easily try hundreds of known vulnerabilities against your service in a matter of minutes. In this case, hiding the version, or even the name of the service, does nothing since the attacker is trying everything already. In general, you should always assume an attacker knows your entire technology stack.

Of course, the best solution is to have policies and methods in place to prevent running services with known exploits in the first place. I still disable it if I can, when I’m running these services. Maybe it will save a few megs of bandwidth at scale.

InvokeStatic
  • 133
  • 1
  • 5