Author Topic: Thanks to remove footprint from Virtuemart in new releases  (Read 863 times)

Studio 42

  • Contributing Developer
  • Sr. Member
  • *
  • Posts: 4345
  • Joomla & Virtuemart developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3
Thanks to remove footprint from Virtuemart in new releases
« on: August 15, 2015, 01:02:03 am »
Hi all,
 Currently Virtuemart javascript and css add a versionning on each files loaded by virtuemart.
This is really bad !(i had to do some security fixes on a site and the idea comes from here)
Currently, you don't have to check if you have a security vulnerabillity if you check the ?vmver=8919 because this is from
Code: [Select]
defined('VM_REV') or define('VM_REV',vmVersion::$REVISION); and get current release.
Simply with this you can check if a site is vulnerable or not. The hackers thanks you.
I think, this should be set in config and not using VM release number.
Perhaps a global Joomla setting is the best way. But i doubt if someone want change it in Joomla
Outside of this, if you do some changes in any javascript, you cannot update the script when you use expire time in your server(the Vmver is set by virtuemart)
Last think : changing VMver=8919 to v1.0.3 is more standard and harder to find, it's vm running on a site.

Most of time i don't load vm core script. But some customer do it and expose to all the world the curent running release