Hey,
I have been using ProxmoxVE now for a while and you've done a fantastic job, thanks for creating such a great project!
I just noticed one thing:
Not a big thing, but currently the Proxmox webinterface shows the detailed version running to everybody, even unauthenticated users on the webinterface login screen.
I think this isn't that smart regarding security as it gives away some information if a system has been patched or not etc. and therefore can reveal sensitive informations to a possible attacker.
Screenshot of the information "leak":
Yes, I know, you should always keep your systems updated etc., but it has become comon sense to NOT display such detailed version informations to the public anymore if not absolutly needed (take all the CMS-, forum-, blog-, software on the internet as an example. Most of them won't show their currently running version to the public anymore (for good reason) to make life harder for attackers).
After all this wouldn't be very hard to fix and could help improve security a bit. Maybe you could change this behaviour in your next release
Best regards and thanks again!
##EDIT 2: Dietmar has provided an official patch, check one of the last posts!!
# EDIT:
If someone does not want to wait until this gets changed (if it gets changed), you can change this behavior by yourself quite easy:
Edit /usr/share/pve-manager/root/index.pl file:
Find (~ line 45):
Add "#" (comment out) infront of the above line, and add the following line below it:
Adjust the string of $version to your liking.
The index.pl file should look like this now:
Note: If you're logged in you still will see whatever you have defined as $version on the top left part of the webinterface. If you want to know what version you're really running you have to go to the "Summary" tab of your node. Maybe this could be changed if Proxmoxteam decides to fix this.
I have been using ProxmoxVE now for a while and you've done a fantastic job, thanks for creating such a great project!
I just noticed one thing:
Not a big thing, but currently the Proxmox webinterface shows the detailed version running to everybody, even unauthenticated users on the webinterface login screen.
I think this isn't that smart regarding security as it gives away some information if a system has been patched or not etc. and therefore can reveal sensitive informations to a possible attacker.
Screenshot of the information "leak":
Yes, I know, you should always keep your systems updated etc., but it has become comon sense to NOT display such detailed version informations to the public anymore if not absolutly needed (take all the CMS-, forum-, blog-, software on the internet as an example. Most of them won't show their currently running version to the public anymore (for good reason) to make life harder for attackers).
After all this wouldn't be very hard to fix and could help improve security a bit. Maybe you could change this behaviour in your next release
Best regards and thanks again!
##EDIT 2: Dietmar has provided an official patch, check one of the last posts!!
# EDIT:
If someone does not want to wait until this gets changed (if it gets changed), you can change this behavior by yourself quite easy:
Edit /usr/share/pve-manager/root/index.pl file:
Find (~ line 45):
Code:
my $version = PVE::pvecfg::version_text();Add "#" (comment out) infront of the above line, and add the following line below it:
Code:
my $version = "Whatever_you_may_want_to_add_here";The index.pl file should look like this now:
Code:
...
...
if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) {
$token = PVE::AccessControl::assemble_csrf_prevention_token($username);
}
}
#my $version = PVE::pvecfg::version_text();
my $version = "Whatever_you_may_want_to_add_here";
$username = '' if !$username;
my $cgi = CGI->new($r);
my %args = $cgi->Vars();
...
...Note: If you're logged in you still will see whatever you have defined as $version on the top left part of the webinterface. If you want to know what version you're really running you have to go to the "Summary" tab of your node. Maybe this could be changed if Proxmoxteam decides to fix this.
Last edited:
