I just read that DarkFig from milw0rm released a PHP script that targets multiple vulnerabilities present in Invision Power Board (IPB), versions <= 2.3.5. I run an IPB forum together with a few other people and I noticed that right at the bottom, there’s this little footnote…
In all frustration, I told one of my guys to remove the version from the footer. After all, with almost 50,000 members, half of whom are probably easily irritable and irrational, it wouldn’t take too much of a genius to notice the same things I did and launch an attack.
In defence, he presented me with this argument - displaying the version number shows users that we are diiligent at patching our software, with 2.3.5 being the latest version available and we’ve got it. It gives them the sense of security and the “illusion” that we are responsible forum admins.
This lead me to think - is removing the version number from software that is exposed to the web (including, but not limited to web applications, server operating system, web backend, etc) just security through obscurity? Or is there really more to it?
When people say “security through obscurity is no security at all”, it probably holds true in the long term, whereby the number of attacking attempts and possible vulnerabilities found increases as time passes. In the short term, though, it might be better to always provide yourself with some time buffer. So, I say, spoof / remove version numbers from being displayed.
What are your views?
