html comment?

phpwcms is released under GPL. Use this forum to discuss the GPL or inform about possible offences against phpwcms' copyrights.
Post Reply
DusX
Posts: 99
Joined: Thu 1. Apr 2004, 16:00
Location: Canada

html comment?

Post by DusX »

OK, real quick/s question here..

The HTML comments that render into the front end. Can these be removed?
My concern is letting bots or other malicious clients know what system a site is running. I have had phpwcms sites hacked in the past, and a great way to avoid this would be to remove any client side mention on the system being used. I would of course leave all credit in the backend.

2: Can I change the path to the backend? I would like to have the backend in a obscurely name directory, or simply change the name of login.php to perhaps lg98485r.php.

Anyone have other security ideas? I can't always get updates done in a timely manner, so minimizing anyones understanding of how my site runs could be very helpful.
rushclub
Posts: 915
Joined: Tue 17. Feb 2004, 18:52

Re: html comment?

Post by rushclub »

DusX wrote:The HTML comments that render into the front end. Can these be removed?
as far as i know: NO :)

rush
3 (!) Jahre warten reichen mir. Ich bin erst mal weg.
User avatar
juergen
Moderator
Posts: 4556
Joined: Mon 10. Jan 2005, 18:10
Location: Weinheim
Contact:

Re: html comment?

Post by juergen »

in adittion to rush ..:

I never ever saw a hacked phpwcms site, almost sql injection from other software, i.frame based rkits... and and and... Servers are playgrounds for root KIDS :!:
User avatar
marcus@localhorst
Posts: 815
Joined: Fri 28. May 2004, 11:31
Location: localhorst
Contact:

Re: html comment?

Post by marcus@localhorst »

I have had phpwcms sites hacked in the past, and a great way to avoid this would be to remove any client side mention on the system being used.
I can't believe that this was phpwcms related leaks/failtures. Mostly a file of the SPAW editor, shipped with phpwcms earlier was the reason. (search this forum). Next thing is to take a closer look on your server settings.
Bots does not scan your source code for this comment, I cant believe that. And if - phpwcms is secure - and if you use older systems, there are a lot topics about fixing them here on board
On my serverlogfiles I always found requests of files that not exist (files with well known security holes from other systems like wordpress, or spaw, or forum software etc.) so I think, if you are konsequent and remove the credits you need to rename all files and folders - :twisted:
so forget about that and take a closer look to your server, installed skripts and not to these comments - they are not the reason why your site was hacked.

greetings
marcus
DusX
Posts: 99
Joined: Thu 1. Apr 2004, 16:00
Location: Canada

Re: html comment?

Post by DusX »

Well the first sql injection was via the email form included with phpwcms. I realize that it may have been a 3rd party component but never the less it was included, same with spaw etc..
The fact that anyone on this board or that have downloaded the source for phpwcms can determine its weak points, and then use either this forum (what site you are pround of) or other means to find site made with the system and exploit them.

I have used phpwcms for a number of sites over that past few years, and have also looked at/used a few other cms's.. many of which do not require any front end 'public' credits.
Its unfortunate but the semi-open nature of this system (1 author, enforced front end credits etc.) is likely going to push me from continuing to support the project (and yes I have supported/donated to it in the past).

It actually makes me a little sad :cry:
User avatar
Jensensen
Posts: 3000
Joined: Tue 17. Oct 2006, 21:11
Location: auf der mlauer

Re: html comment?

Post by Jensensen »

btw. makes no sense to delete these comments because the HTTP HEADER sends sys information...so, somebody will know it, anyway...
{so_much} | Knick-Knack. | GitHub
Umlaute im URL sind meistens immer Kacke.
User avatar
Oliver Georgi
Site Admin
Posts: 9888
Joined: Fri 3. Oct 2003, 22:22
Contact:

Re: html comment?

Post by Oliver Georgi »

Where is the problem - what does a comment have to do with security?

I have never forbidden to remove credits - it is not allowed to remove copyright information.

For me it sounds more like you are searching for a white label solution - for whatever needed.

You can use a simple .htaccess file to avoid accessing special files and folders or grant access to some IPs only or whatever.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
Post Reply