This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests
are now tracked at the issue tracker at Github.
FS#910 Disable do=check when conf debug = 0
Although it's not quite so much information as the do=debug, do=check does give away both the PHP version and the Dokuwiki version, both of which may aide potential attackers know which vectors may be vulnerable. Think it would be a good idea to have do=check disabled, either by setting $conf['debug'] = 0 or an explicit config option.
Yeah - I know - security by obscurity but every little bit helps.
do=check can be disabled with $conf['disableactions'] - however the DokuWiki version is also displayed in the meta headers and many users rely on the check action to see which version they are running when new relases or security alerts come out.
I'm not sure how useful disabling this info is and like to get other peoples input. In my experience a version string doesn't matter. Attackers will simply try if their attack works or not instead of bothering to look or search for version strings.
One idea could be to disable all version info (when debug is disabled) and display the dokuwiki version somewhere in the admin panel instead.
And should we also hide the version info from the web server's signature? I don't think hiding is anything serious when talking about security.
Most certainly informations revealed by check are already available elsewhere.