OSGeo.org › OSGeo Software and Data Projects › MapGuide Open Source › MapGuide Internals

should GETSITEVERSION be always available?

4 messages Options
Embed this post
Permalink
zspitzer

should GETSITEVERSION be always available?

Reply Threaded More More options
Print post
Permalink
I'd suggest this should be always available?

z



--
Zac Spitzer -
http://zacster.blogspot.com
+61 405 847 168
_______________________________________________
mapguide-internals mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapguide-internals
Martin Morrison

RE: should GETSITEVERSION be always available?

Reply Threaded More More options
Print post
Permalink
In a secure environment the less information you give out the better.  That being said for the RFC that is being discussed, how many servers are in a secure environment actually need to ping the server?

Martin

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Zac Spitzer
Sent: Thursday, June 25, 2009 6:26 AM
To: MapGuide Internals Mail List
Subject: [mapguide-internals] should GETSITEVERSION be always available?

I'd suggest this should be always available?

z



--
Zac Spitzer -
http://zacster.blogspot.com
+61 405 847 168
_______________________________________________
mapguide-internals mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapguide-internals

_______________________________________________
mapguide-internals mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapguide-internals
Jason Birch

RE: should GETSITEVERSION be always available?

Reply Threaded More More options
Print post
Permalink
I think that clients should probably be able to rely on at least a major version number (2.0 or 2.1) being obtainable from the server even in secure mode.  Otherwise there would be no way of making version-tolerant client apps.

Jason

-----Original Message-----
From: Martin Morrison
Sent: Thursday, June 25, 2009 5:45 AM
To: MapGuide Internals Mail List
Subject: RE: [mapguide-internals] should GETSITEVERSION be always available?

In a secure environment the less information you give out the better.  That being said for the RFC that is being discussed, how many servers are in a secure environment actually need to ping the server?
_______________________________________________
mapguide-internals mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapguide-internals
Kenneth Skovhede, GEOGRAF A/S

Re: should GETSITEVERSION be always available?

Reply Threaded More More options
Print post
Permalink
I agree with Jason, a client should be able to handle different version
gracefully.

Knowing the version number will potentially let an attacker know
if a certain weakness is present in the software (eg, has an SP been
applied).

If we cut the revision from the secure version, it will be more dificult to
figure out if a weakness is present, while still maintaining the option to
allow version tolerant clients.

Regards, Kenneth Skovhede, GEOGRAF A/S



Jason Birch skrev:

> I think that clients should probably be able to rely on at least a major version number (2.0 or 2.1) being obtainable from the server even in secure mode.  Otherwise there would be no way of making version-tolerant client apps.
>
> Jason
>
> -----Original Message-----
> From: Martin Morrison
> Sent: Thursday, June 25, 2009 5:45 AM
> To: MapGuide Internals Mail List
> Subject: RE: [mapguide-internals] should GETSITEVERSION be always available?
>
> In a secure environment the less information you give out the better.  That being said for the RFC that is being discussed, how many servers are in a secure environment actually need to ping the server?
> _______________________________________________
> mapguide-internals mailing list
> [hidden email]
> http://lists.osgeo.org/mailman/listinfo/mapguide-internals
>  
_______________________________________________
mapguide-internals mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapguide-internals
Free Embeddable Forum Powered by Nabble Help