Skip to content

I suggest you...

← Feature Suggestions

Remove the version number from the login page

If there is a security weakness for a particular panel version it doesn't help that the login page broadcasts the version number to an unverified user. Fine once they have logged in. Not before.

3 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

QuotesUK shared this idea  ·   ·  Report…  ·  Admin →

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Karl May commented  ·   ·  Report

    Its not "already available", because the version number and micro-update is still in html source as "urlArgs":"18.0.62-2"

  • QuotesUK commented  ·   ·  Report

    No, of course not, a title tag is not a security weakness per se. However you only have to take the example of formmail and the way that script kiddies probe servers for outdated software installations.

    So lets just assume that the current version of Plesk has a security weakness in it, which is addressed and almost everyone upgrades, so problem solved. Well what happens to those that didn't upgrade for one reason or another? If their login page broadcasts the version number then it just makes it easy for a script kiddie to find them and exploit that weakness.

    Formmail took the initiative to mask version numbers to make exploits less successful. I'm just saying, if you're going to put the plesk version in the title tag then at least wait until the user has logged in.

    The formmail version disclosure issue was big at the time but there's mention of it here... http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.10782

  • AdminSergey L (CTO, Plesk International GmbH) commented  ·   ·  Report

    Yes, I can see a version in the title. This can not count as a security weakness per se, until there would be an open vulnerability in Plesk of that version. If you are not sitting on the outdated version, there is no risk. And if you are on outdated version, the fix won't help - as the change will be in the latest version.

    We will consider this function, though so far it has very little votes and cannot be considered highest priority.

  • QuotesUK commented  ·   ·  Report

    Sergey, can you see the version in the title tag?

  • QuotesUK commented  ·   ·  Report

    Sergey, can you see the version number now?

  • QuotesUK commented  ·   ·  Report

    It's not on the web page, it's in the title...
    <title>Parallels Plesk Panel 11.5.30</title>

Feature Suggestions: Plesk (general)

Categories

Feedback and Knowledge Base

(thinking…)