How do I locate the version I'm currently running ? I don't remember if I'm already updated to 4.6.3 or whether I'm using 4.6.1 at this point. Is there a file or location in the Admin to find this ?

Comments

stephenhendry’s picture

If you go to the changelog it will tell you what version you are running
--------------------------------------
http://www.stephenhendry.net

ica’s picture

-imo answer of this this question should be avaliable on every user among with other useful info in a overview.module where they can get on the default admin section which is not exist

sepeck’s picture

This is in the handbook here
http://drupal.org/node/27362 -last paragraph :)

In the Troubleshooting section there are a variety of answers to how to get logon blocks back
http://drupal.org/node/1213

Additional suggestions/handbook pages welcome.

-sp
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

greggles’s picture

Maybe this should be hidden a little better...

See my other comment. It's just a matter of how easy you make life for the script kiddies.

greggles’s picture

Various systems (phpBB notably) have recently removed externally visible version numbers specifically because it helps the script kiddies.

It's not clear to me from your comment if you mean that this should be available only on the admin page or on every user's own page, but I would definitely say "only in a privileged page."

sepeck’s picture

If you are using Apache, you can lock out access via htaccess. If you are using IIS, you can use NTFS permissions. Obscurity does not grant security.

It helps the script kiddies how? If they run a script and you haven't updated to the latest version, then you are FUBAR'd, if they run a script and you have the latest version, then you are relatively safe. If they actually develop a version checking in their attck script and you update regularly, then it would seem to lower you profile somewhat.

-sp
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

greggles’s picture

It helps the script kidides exactly as you have said.

In the case of phpBB2 there was a famous vulnerability in 2.13 or something like that. Scripts were created that exploited this, and then ran on the infected server to do a google search for a string that was specific to phpBB 2.13 to find more targets for them to attack. As a response, phpBB now removes these kinds of identifying strings from their distribution by default.

I know that people can remove them after the fact on their own, but it is better (in my opinion) to have the security settings on by default in the distribution, not something that requires a modification after the fact.

Obscurity does not grant security, but it improves security.

Greg

sepeck’s picture

One of the ways the phpBB script worked was to look for specific characteristics of phpBB. They also just did mass ip sweeps and reverse Google queries. My sites, which has never had phpBB, got hammered for a while with these scripts.

There are a number of characteristics in Drupal sites that are every bit as easy to find as the changelog.txt. Useing these characteristics you can do a variety of Google queries to find Drupal sites. On of the simpler ones would be this but there are better ways to do it with other items.

Again, security through obscurity is, in my opinion, an extremely ineffective approach and one I am not inclined to lose any sleep over.

-sp
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

ica’s picture

admin 'page' is anly acessable by admin as the title suggest literally. no public users, users/members or 'script kissies'!?? or , green martians involved.
one might say admin should know already whho is the person already 'possible downloaded and installed the site but again it might not be the case always .. for instance if fantastico intaaled a site or he/she manages many sites etc. what is wrong for a driver not to see his /her cars name and model number on the dashboard?
- mentioning 'dashboard' could be a name for an overview module for drupal

venkat-rk’s picture

Go to www.yourdomain.com/CHANGELOG.txt if you installed drupal in the root of your site or www.yourdomain.com/drupalinstall/CHANGELOG.txt if you installed elsewhere. Just replace 'drupalinstall' wth the name you gave.

Incidentally, it is recommended that you change the name of CHANGELOG.txt to SOMETHINGELSE.txt (replace SOMETHINGELSE with your own name) so that hackers don't find out which version you are using and try to exploit it.

prokopton’s picture

1. Login as Admin

2. http://www.example.com/admin/logs/status

That should tell you what version you're running along with other system info.