Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+3 votes
901 views
in Q2A Core by

I was taking a look Q2A change-log and just noticed that since Version 1.5.1 the file "Version.txt" had been added to Q2A script to show current version of script.

it is not a security problem NOW and you don't need to get worried. however common scripts do not simply let visitors(or hackers) know  which version of script they are using. because it will be easier to organizes and track exploits and let hackers damage a large number of sites using a simple script that find and hacks these sites. there are even hack tools too show which version of an script a site uses.

how it is a thread?

Usually when a security update is implemented on an script this unhonorable hackers can find the bug that had been fixed by developers by comparing new and old source codes. then use google to find all sites using old versions of script(without security update) and simply using the unfixed bug to hack a large number of sites which did not have the latest update! now having a version.txt file just makes as easy as typing a single query in google search.

if they can not determine which version of Q2A is used by our Q2A sites they will have too manual search in thousands of Q2A  sites.

Solution:

Simply remove the version.txt file.

hopefully this file will be removed by Gideon Greenspan in next version.


**** Also I remember when I was looking at Markdown Editor I noticed that it was not sanitizing the input. maybe it needs too be checked too.

Q2A is still the best Q&A script
best regards

Towhid from QA-Themes.com

1 Answer

+2 votes
by
selected by
 
Best answer
Thanks for the note, but it doesn't really make Q2A less secure since Google doesn't index the VERSION.txt files, and it's easy to discover the version in other ways from the page source.
by
I think so as well. HTML and public functions get changed in different version. It is mostly easy to identify the version that is running. E.g. like gidgreen is doing it: Setting the version number behind the included javascript file. See HTML Source, here it is: page.js?1.5.4-dev
by
@gidgreen: "1.5.4dev" reminds me... please just change the current CSS in color style :) better for our eyes, http://www.question2answer.org/qa/18495/
by
Plus if a security hole is discovered, there is nothing stopping an attacker running it on every Q2A site they can find.
...