[mapguide-internals] should GETSITEVERSION be always available?

Kenneth Skovhede, GEOGRAF A/S ks at geograf.dk
Thu Jun 25 13:18:47 EDT 2009


I agree with Jason, a client should be able to handle different version 
gracefully.

Knowing the version number will potentially let an attacker know
if a certain weakness is present in the software (eg, has an SP been 
applied).

If we cut the revision from the secure version, it will be more dificult to
figure out if a weakness is present, while still maintaining the option to
allow version tolerant clients.

Regards, Kenneth Skovhede, GEOGRAF A/S



Jason Birch skrev:
> I think that clients should probably be able to rely on at least a major version number (2.0 or 2.1) being obtainable from the server even in secure mode.  Otherwise there would be no way of making version-tolerant client apps.
>
> Jason
>
> -----Original Message-----
> From: Martin Morrison
> Sent: Thursday, June 25, 2009 5:45 AM
> To: MapGuide Internals Mail List
> Subject: RE: [mapguide-internals] should GETSITEVERSION be always available?
>
> In a secure environment the less information you give out the better.  That being said for the RFC that is being discussed, how many servers are in a secure environment actually need to ping the server?
> _______________________________________________
> mapguide-internals mailing list
> mapguide-internals at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapguide-internals
>   


More information about the mapguide-internals mailing list