[wp-trac] [WordPress Trac] #19549: Please remove X-Mailer from class-phpmailer

WordPress Trac wp-trac at lists.automattic.com
Tue Jan 3 22:30:07 UTC 2012 

#19549: Please remove X-Mailer from class-phpmailer
-----------------------------------+-----------------------
 Reporter:  jwz                    |       Owner:  westi
     Type:  enhancement            |      Status:  assigned
 Priority:  normal                 |   Milestone:  3.4
Component:  External Libraries     |     Version:  3.3
 Severity:  minor                  |  Resolution:
 Keywords:  2nd-opinion has-patch  |
-----------------------------------+-----------------------

Comment (by Otto42):

 Replying to [comment:12 jwz]:
 > As I said in my initial report, please keep in mind that the reason I'm
 complaining about this is that providing people with version numbers of
 the software that is running on remote servers is a ''security exposure''.
 I'm not trying to de-brand this stuff for no reason. I'm trying to de-
 brand it because the first thing someone who's trying to hack your server
 wants to know is what it's running. The fewer identifiable clues that you
 provide to that, the safer you are.

 People say this a lot, but I don't think the real-world facts bear it out.
 If this sort of thing was a problem, my server logs wouldn't constantly
 show signatures from years-old attacks on ASP based systems.

 People actively hacking websites don't target a specific site, in general.
 They download a big list of "hacks", load them into their penetration
 code, and mass spam them at as many sites as possible. Then they come back
 later and see what succeeded. Checking for a version requires an extra
 HTTP request, at minimum. Spamming a known attack at a site and then just
 seeing if it worked or not doesn't.

 Sure, security testing tools have version checkers and such, because
 they're so easy to write. Heck, I've written a couple. They're useful for
 investigation, but they're useless to 99.9999% of the actual attacks being
 performed.

 And for those people that might be targeting your site specifically,
 hiding your version doesn't actually help, because they're better than
 that. They can probably guess your version close enough to be useful just
 by glancing at the site, if version was at all important for security
 reasons.

 A piece of software is either secure from the attacks performed on it, or
 it's not. If it's insecure, hiding the version doesn't slow down an
 attacker in the least. If it's secure, then having a version number
 doesn't help them in the least.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19549#comment:14>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list