26 November 2014, 12:16

Minor version number displayed in JS, CSS links

Category: Disclosure of system information
Severity: Low
Versions affected: <1.8.6, <1.9.4, <1.10.1
Reported by: Aaron Wells
Bug report: https://bugs.launchpad.net/mahara/+bug/1384481
CVE reference: CVE-2014-8692

We made a conscious decision, for security reasons, not to display the
Mahara minor version number on the footer of every page, except to
Mahara admins.

However, in bug 1214124 we then added the minor version number to
every stylesheet and Javascript URL, which makes it trivially easy to
find. You just look at the source code, and look for style.css:

27 November 2014, 8:36

Important note:

The patch for this problem only patches the issues in the core code - if your site is using custom made themes you will need to check that they are not disclosing the minor version number.

To check if you need to make adjustments first search for this string:

  v={$RELEASE}

If it exists in your code anywhere (most likely in theme/[yourthemename]/templates/header/head.tpl) then you will need to change it to:

  v={$CACHEVERSION}