From version < 6.1 >
edited by Caleb James DeLisle
on 2010/05/03
To version < 7.1 >
edited by Alex Busenius
on 2010/05/03
Change comment: There is no comment for this version



Page properties
... ... @@ -1,1 +1,1 @@
1 -XWiki.Caleb_James_DeLisle
1 +XWiki.nickless
... ... @@ -41,6 +41,19 @@
41 41  Even if the password cannot be extracted from the cookie, the cookies might be stolen See: [[XSS>>#Hcrosssitescripting]] and used as they are.
42 42  By setting the //[[xwiki.cfg>>AdminGuide.Configuration#HSamplexwikiproperties]]// parameter ##xwiki.authentication.useip## to true you can block the cookies from being used except by the same ip address which got them.
43 43  
44 +== Override version information ==
45 +
46 +By default, the exact XWiki Enterprise version is shown in the footer of every page. This is not harmful by itself, but can provide useful information to the attacker, who can use known vulnerabilities against this version.
47 +
48 +You can change the version string shown in the footer using the [[Administration Application>>code:Applications.AdministrationApplication]]. Click on ##Presentaton## icon and change the version string in the //Version// field.
49 +
50 +If you want to be sure the version is definitely not leaked somewhere else, you can replace the file //WEB-INF/version.properties// by your own version with the following content:
51 +
52 +{{code}}
53 +version=your version string here
54 +{{/code}}
55 +
56 +
44 44  = Discussion of attack vectors =
45 45  Perfect security is generally considered impossible. With simple static HTML servers we can have near perfect security but those are not very useful. This document discusses different threat models and how to fortify against each. These attacks are grouped by type of access gained if successful. More dangerous attacks are near the top yet the most common attacks are less dangerous (and easier to perform) and will be seen at the bottom.
46 46  

Get Connected