Closed (duplicate)
Project:
Drupal core
Version:
5.0-rc1
Component:
base system
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
25 Dec 2006 at 17:05 UTC
Updated:
25 Dec 2006 at 17:19 UTC
As distributed, any current Drupal install by default maintains the .txt files in the root directory of the install. Try for instance http://drupal.org/CHANGELOG.txt
While this is in itself not an intrinsic risk when sites are up-to-date, it provides would-be aggressors with an extremely simple way to check whether any given site is probably vulnerable to known attacks: they just need to check the CHANGELOG.txt file to know the likely version of the site and, hence, the potential vulnerabilities.
It would seem useful for the install process to remove these files after install, or to have them masked by a .htaccess rule in the default distribution
Comments
Comment #1
ChrisKennedy commentedThanks for the bug report - this issue is being discussed at http://drupal.org/node/79018