Feature Wiki

Information about planned and released features

Tabs

UI Footer: Remove version information

Page Overview

1 Initial Problem
2 Conceptual Summary
3 User Interface Modifications
- 3.1 List of Affected Views
- 3.2 User Interface Details
- 3.3 New User Interface Concepts
4 Technical Information
5 Contact
6 Funding
7 Discussion
8 Implementation

1 Initial Problem

The footer template: .../Services/UICore/tpl.footer.html contains a div that reveals the ILIAS version number to all who access ILIAS, including visitors who have not logged in. This can help hackers identify vulnerable ILIAS installations by checking if and what security issues have been fixed in later versions of ILIAS.

2 Conceptual Summary

We will introduce an explicit setting to show the version information in the footer:

The version will be hidden by default for new installations.
The version will be shown by default for old installations - because this is the current behaviour.

Note: ILIAS administrators can still access the ILIAS version via the server data tab under general settings, screen-ID: adm/server/server_data.

3 User Interface Modifications

3.1 List of Affected Views

All views with footer are affected. i.e. basically everything except fullscreen SCORM/HTML-Modules
Administration > Privacy and Security

3.2 User Interface Details

[ILIASROOT]/Services/UICore/tpl.footer.html

Version enabled: powered by ILIAS (v{ILIAS_VERSION})
Version disabled: powered by ILIAS

Administration > Privacy and Security

3.3 New User Interface Concepts

None.

4 Technical Information

{The maintainer has to provide necessary technical information, e.g. dependencies on other ILIAS components, necessary modifications in general services/architecture, potential security or performance issues.}

5 Contact

Author of the Request: Kiegel, Colin [kiegel] and Sesterhenn, Fabian [sesterhenn]
Maintainer: {Please add your name before applying for an initial workshop or a Jour Fixe meeting.}
Implementation of the feature is done by:

6 Funding

If you are interested in funding this feature, please add your name and institution to this list.

Lotto Hessen
TH Köln, Sesterhenn, Fabian [sesterhenn]

7 Discussion

JourFixe, ILIAS [jourfixe], 26 MAR 2018 : We reject this suggestion because there are a lot of administrators who want to keep this information for transparency reasons. But we see a general need for configurating this easily and suggest to add a checkbox in 'Security and Privacy' that controls if the version number is presented or not. Please revise the request if this is interesting for you.

Hesse, Joel [Joel_Hesse] From my view this feature makes much sense. In my opinion the version should get removed, regardless of any mentions of the administrators because its a serious security risk.

Kiegel, Colin [kiegel], 2019-02-01: I updated the Feature Wiki request to comply with the requirements of the ILIAS Jour Fixe. A Pull-Request is ready to be published.

Which ILIAS Versions should get this improvement? Since it can improve security, it may be relevant for 5.2, 5.3, 5.4 too.

Kiegel, Colin [kiegel], 2019-09-03: Note that current ILIAS exposes its version also in the source code. When referencing static content like JS/CSS files, the version number is appended to improve caching. Changing this exceeds the scope of this feature request IMO. I just want to note that this should be tackled at some point too. A solution might involve salted hashed of the version number or a random string unique for each installation and ilias version. A separate concept is needed for this.

8 Implementation

{The maintainer has to give a description of the final implementation and add screenshots if possible.}

Test Cases

Test cases completed at {date} by {user}

{Test case number linked to Testrail} : {test case title}

Approval

Approved at {date} by {user}.

Last edited: 3. Sep 2019, 17:53, Kiegel, Colin [kiegel]