SMF License Question

[James_Curley]

Are users of SMF Forum Software allowed to remove the version number from the footer? When new exploits come out often people use google to find susceptible forums. EX. "SMF 2.0.2 | SMF © 2011, Simple Machines"

This allows people to easily find exploitable forums through google and other search engines. Would I be able to change it from:
SMF 2.0.2 | SMF © 2011, Simple Machines
to
SMF | SMF © 2011, Simple Machines

Would this be a violation of the license agreement?

[Orangine]

No, it wouldn't. And no, you won't fool anyone.

[TwitchisMental]

Here is a mod to do this =  http://custom.simplemachines.org/mods/index.php?mod=1046


However this really does nothing to protect your site from being exploited.

[Kindred]

Well, for one thing, as orangine said, hiding the version number will not protect you in any way shape or form. Hackers do not search for susceptible forms when a hack is found. They use scattershot techniques and hit EVERY site with the hack, even if the site is not even running that software (i have been hit with Wordpress hack attempts even though I never ran Wordpress on that site)

Yes, removing the version number is acceptable, if you feel that you must.
You can install that mod, or edit the line in index.php yourself.

On SMF 2.x, you can even remove the whole copyright statement, if you want to... Although we reserve the right to refuse support to sites which have done so....  And even that will not protect your site.

[青山 素子]

Are users of SMF Forum Software allowed to remove the version number from the footer? When new exploits come out often people use google to find susceptible forums. EX. "SMF 2.0.2 | SMF © 2011, Simple Machines"

This allows people to easily find exploitable forums through google and other search engines.

Yes, you can hide the version number if you wish. There is a modification that does so safely (it only hides for non-admin users, so it won't break update warnings). However, you are completely wrong about searching to find old versions. That is rarely done anymore except for targeted attacks, maybe. If it's a targeted attack, there are much better ways to detect a version than the footer. Automated attacks, the majority of what cause problems, just throw every possible combination of every attack vector for any possible software against a site and see what sticks. Those types of attacks don't give any care to the version number in the footer.

Although applying to Wordpress, some good information:

From 2009: http://wordpress.org/news/2009/09/keep-wordpress-secure/

Hide the WordPress version, they say, and you'll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned.

**snip**

The only thing that I can promise will keep your blog secure today and in the future is upgrading.

I'd like to note that this is already happening by default because everyone thought like you are thinking.


From http://www.whitefirdesign.com/blog/2011/03/02/hiding-the-wordpress-version-number-will-not-make-your-website-more-secure/:

The biggest thing to understand is that hackers are not checking what version of WordPress is being run when trying to hack a website. In fact in most cases they don't even check if WordPress is installed, they just try to exploit known vulnerabilities in older version of WordPress at locations that WordPress might be installed (they also attempt to exploit other software that might be located on a website as well). So no matter how hard you try to hide the WordPress version number, you will still get hacked if you are running an outdated version of WordPress.

Replace "WordPress" in the above quote with "SMF" and it is just as accurate.

Yes, I'm picking a bit on WordPress. It's a horribly inefficient piece of software, a blog software often tortured into being a full CMS, and exploited almost more often than MS Windows. However, (almost) everybody loves it...