Thanks to remove footprint from Virtuemart in new releases

Started by Studio 42, August 15, 2015, 01:02:03 AM

Previous topic - Next topic

Studio 42

Hi all,
Currently Virtuemart javascript and css add a versionning on each files loaded by virtuemart.
This is really bad !(i had to do some security fixes on a site and the idea comes from here)
Currently, you don't have to check if you have a security vulnerabillity if you check the ?vmver=8919 because this is from
defined('VM_REV') or define('VM_REV',vmVersion::$REVISION);
and get current release.
Simply with this you can check if a site is vulnerable or not. The hackers thanks you.
I think, this should be set in config and not using VM release number.
Perhaps a global Joomla setting is the best way. But i doubt if someone want change it in Joomla
Outside of this, if you do some changes in any javascript, you cannot update the script when you use expire time in your server(the Vmver is set by virtuemart)
Last think : changing VMver=8919 to v1.0.3 is more standard and harder to find, it's vm running on a site.

Most of time i don't load vm core script. But some customer do it and expose to all the world the curent running release

Greetings,

Patrick