Community Documentation

Why doesn't Drupal hide CHANGELOG.txt?

Last updated March 6, 2013. Created by catch on May 28, 2009.
Edited by dalin, grendzy, sepeck, Archnemysis. Log in to edit this page.

This issue has been discussed publically several times, most notably in #79018: protect Drupal core .txt files where it was decided that there is no security benefit to hiding files such as CHANGELOG.txt.

For a more complete list of reasons please see the administration guide on Hide, obscure, or remove clues that a site runs on Drupal.

Login or register to post comments

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

Comments

Mainly it comes down to

Posted by dalin on September 23, 2010 at 2:53am

Mainly it comes down to this:
There are two types of attacks in the web world:
- automated bots that randomly surf the web looking for known exploits.
- someone who specifically wants to exploit your site.

For the first category they don't care what software your site is running or what version, they just wallop you with everything they've got. If you review your logs you'll see bots attempting exploits for everything from phpBB to Sharepoint to Plone. Removing the files will have no effect.

For the second category they won't even check for the existence of the file. There are automated fingerprinting tools that will tell you with greater certainty what the site is running. For example:
https://addons.mozilla.org/en-US/firefox/addon/10493/
But this class of attacker knows that they are unlikely to find an exploitable vulnerability in the core CMS. Code is more likely to be vulnerable the fewer people that use it (and hence the fewer people that have audited it). This means lesser-used contrib modules, custom modules and custom themes. Specifically theme code has been historically most vulnerable. That's where an attacker will try penetration testing, and of course text files mean nothing here.

________________________
dave hansen-lange
Technical Lead
Advomatic.com
Great White North office
Canada

While obscurity is definitely

Posted by naught101 on June 26, 2011 at 12:13pm

While obscurity is definitely not security, it may have some benefits. The mantra that it's a bad idea all together is fairly dogmatically repeated in most security circles, but there are definitely some good arguments for using obscurity ON TOP OF real security. See especially:
https://secure.wikimedia.org/wikipedia/en/wiki/Security_through_obscurit...
http://www.infoworld.com/d/security-central/security-obscurity-it-works-432

Security

Posted by mgifford on February 6, 2013 at 8:09pm

Thanks Dave. Appreciate that feedback.

Wanted to just say that the automated Mozilla addon was "disabled by an administrator."

There are a few others though like http://builtwith.com
https://addons.mozilla.org/en-US/firefox/addon/builtwith/

And the W3Techs Website http://w3techs.com/sites
https://addons.mozilla.org/en-US/firefox/addon/w3techs-website-technolog...

That can help with some basic identification.

--
OpenConcept | Twitter @mgifford | Flattr

Page status

No known problems

Log in to edit this page

About this page

Audience
Programmers, Site administrators

Administration & Security Guide

Drupal’s online documentation is © 2000-2013 by the individual contributors and can be used in accordance with the Creative Commons License, Attribution-ShareAlike 2.0. PHP code is distributed under the GNU General Public License. Comments on documentation pages are used to improve content and then deleted.