html comment?

DusX · Post by **DusX** » Thu 17. Apr 2008, 02:24

OK, real quick/s question here..

The HTML comments that render into the front end. Can these be removed?
My concern is letting bots or other malicious clients know what system a site is running. I have had phpwcms sites hacked in the past, and a great way to avoid this would be to remove any client side mention on the system being used. I would of course leave all credit in the backend.

2: Can I change the path to the backend? I would like to have the backend in a obscurely name directory, or simply change the name of login.php to perhaps lg98485r.php.

Anyone have other security ideas? I can't always get updates done in a timely manner, so minimizing anyones understanding of how my site runs could be very helpful.

rushclub · Post by **rushclub** » Thu 17. Apr 2008, 08:16

DusX wrote:The HTML comments that render into the front end. Can these be removed?

as far as i know: NO

rush

Post by **juergen** » Thu 17. Apr 2008, 08:19

in adittion to rush ..:

I never ever saw a hacked phpwcms site, almost sql injection from other software, i.frame based rkits... and and and... Servers are playgrounds for root KIDS

marcus@localhorst · Post by **marcus@localhorst** » Thu 17. Apr 2008, 08:30

I have had phpwcms sites hacked in the past, and a great way to avoid this would be to remove any client side mention on the system being used.

I can't believe that this was phpwcms related leaks/failtures. Mostly a file of the SPAW editor, shipped with phpwcms earlier was the reason. (search this forum). Next thing is to take a closer look on your server settings.
Bots does not scan your source code for this comment, I cant believe that. And if - phpwcms is secure - and if you use older systems, there are a lot topics about fixing them here on board
On my serverlogfiles I always found requests of files that not exist (files with well known security holes from other systems like wordpress, or spaw, or forum software etc.) so I think, if you are konsequent and remove the credits you need to rename all files and folders -

so forget about that and take a closer look to your server, installed skripts and not to these comments - they are not the reason why your site was hacked.

greetings
marcus

DusX · Post by **DusX** » Thu 17. Apr 2008, 16:59

Well the first sql injection was via the email form included with phpwcms. I realize that it may have been a 3rd party component but never the less it was included, same with spaw etc..
The fact that anyone on this board or that have downloaded the source for phpwcms can determine its weak points, and then use either this forum (what site you are pround of) or other means to find site made with the system and exploit them.

I have used phpwcms for a number of sites over that past few years, and have also looked at/used a few other cms's.. many of which do not require any front end 'public' credits.
Its unfortunate but the semi-open nature of this system (1 author, enforced front end credits etc.) is likely going to push me from continuing to support the project (and yes I have supported/donated to it in the past).

It actually makes me a little sad

Jensensen · Post by **Jensensen** » Fri 18. Apr 2008, 13:43

btw. makes no sense to delete these comments because the HTTP HEADER sends sys information...so, somebody will know it, anyway...

Post by **Oliver Georgi** » Tue 29. Jul 2008, 19:58

Where is the problem - what does a comment have to do with security?

I have never forbidden to remove credits - it is not allowed to remove copyright information.

For me it sounds more like you are searching for a white label solution - for whatever needed.

You can use a simple .htaccess file to avoid accessing special files and folders or grant access to some IPs only or whatever.

Oliver

html comment?

html comment?

Re: html comment?

Re: html comment?

Re: html comment?

Re: html comment?

Re: html comment?

Re: html comment?