#1591 Sensitive information disclosure

v4.x
closed
nobody
disclosure (1)
5
2013-08-05
2013-07-13
Lonesome Walker
No

It is not neccessary to get the version number in:

X-MimeOLE: Produced by Group-Office 4.x.x
X-Mailer: Group-Office 4.X.x

Please remove this due the fact of using GroupOffice on the web, and everybody can see which version is used/vulnerable.

Discussion

  • And there is even more leakage:

    var BaseHref = '/';
    GO = {};
    GO.settings={"state_index":"go","language":"de","state":[],"pspellSupport":false,"config":{"theme":"Default","product_name":"Group Office","product_version":"4.2.8","host":"\/","title":"Group Office","webmaster_email":"groupoffice@domain.tld","full_url":"http:\/\/office.domain.tld","allow_password_change":true,"allow_themes":true,"allow_profile_edit":true,"max_users":0,"debug":false,"max_attachment_size":"20971520","max_file_size":"20971520","help_link":"http:\/\/wiki4.group-office.com\/wiki\/","support_link":"https:\/\/shop.group-office.com\/support","nav_page_size":50,"default_country":"DE","checker_interval":120},"show_contact_cf_tabs":[]};

    Sorry, but this is bad in case of email harvesters, disclosure of product version, and various other things...

     
    Last edit: Lonesome Walker 2013-07-27
    • status: open --> closed
     
  • You're right. It will be gone in the next release (4.2.10).

     
  • Done. Thanks :-)