Page 1 of 1

Login-Screen

Posted: Wed 25. Aug 2004, 12:23
by rowitech
Hi,

I found it useful to create a link to my loginscreen of phpwcms. But even if I didn't it may be a security hole letting the unregistered user see which version I did install. So please tell me what is the goal of letting the just-surfed-in user see exactly which version I have?

I would like to switch off every content in the login screen except of the login itself an the phpwcms notice. I really don't like the surfed-in-user to show which person is currently logged in, it won't make sense.

What do you think about it?

My Version is 1.1-RC4 22-06-2004

Rolf

Re: Login-Screen

Posted: Fri 17. Sep 2004, 20:28
by evan
rowitech wrote:Hi,

I found it useful to create a link to my loginscreen of phpwcms. But even if I didn't it may be a security hole letting the unregistered user see which version I did install. So please tell me what is the goal of letting the just-surfed-in user see exactly which version I have?
That's a non-issue, since the version of phpwcms is put in the HTML source of every page anyway. Since there are no known security holes in the newest version of phpwcms, who cares if someone knows what version you're using? Even if it didn't display what version you used, you'd still be vulnerable to attacks, if any existed.
I really don't like the surfed-in-user to show which person is currently logged in, it won't make sense.
What doesn't make sense is that you're so worried about this.

Just don't link to login.php on your home page. Or if you're really that paranoid, use a .htaccess to password protect login.php at the server level.