We currently work with multiple companies who use Drupal for hundreds of sites. Our clients report that a major security compliance issue is with tracking Drupal versions.
As Drupal vulnerabilities for specific versions surface on the web, customers immediately check to see which Drupal sites in their portfolio need an upgrade. Unfortunately, the various implementations of Drupal do not consistently report the Drupal version down to the X.xx (decimal point) version in the header.
Whenever a new security vulnerability is reported, it is next to impossible to track down which sites need to update or patch.
It would really, really help if all releases of Drupal consistently reported the version in the http header or tags.
Joomla and WordPress are both pretty consistent with the way they report versions.
A number of corporate customers are considering a move a way from Drupal as a tool for this reason. Crazy to say it.
Please consider this quick enhancement.
Thanks.
Comments
Comment #2
catchComment #3
platinum1 CreditAttribution: platinum1 commentedI don't believe that it is a good idea to report the version number of Drupal in the header. From a security perspective, I believe the contrary is the case. If this is really desired functionality, IMHO it should be optional.
Comment #4
gargsuchi CreditAttribution: gargsuchi as a volunteer and at Acquia commentedI agree, puttin in this feature can be a major security risk!!
If really needed, we can implement a functionality, which shows the version in header/ tags if and only if the user is logged on as the superuser.