Contrib.social

Remove Generator meta tag from output

Open on Drupal.org →
Created on 5 September 2016, about 8 years ago
Updated 28 July 2023, over 1 year ago

Problem/Motivation

Drupal 7.x discloses information in its HTTP Response and themed HTML that can be used by automated Vulnerability Analysis tools to reveal the application version (major version number and/or minor version number). With this Drupal version information attackers narrow down both vulnerable websites and known attack vectors.

Automated Vulnerability Analysis

Automated vulnerability analysis utilizes software to interact with a target, examine responses, and determine whether a vulnerability exists based on those responses. An automated process can help reduce time and labor requirements when seeking to identify vulnerabilities in a system, or when searching for systems that match specific known vulnerabilities.

Many web application scanners will attempt to compare the version of the web application with known vulnerable versions in security advisories.

A Penetration Test Report against a production Drupal 7.x site returned a couple of information disclosure issues we needed to address:

Finding - Information disclosure

Drupal 7 discloses information that can be used by an attacker to more accurately target the specific environment or application.

Technical Details

A goal for any attacker is to gather as much information about the target environment as possible in order to gain a foothold or launch a more focussed and sophisticated attack.

Testing identified the use of the Drupal content management system (CMS) through server headers, as shown below:

X-Drupal-Cache: MISS
X-Generator: Drupal 7 (http://drupal.org)

Testing identified the use of the Drupal content management system (CMS) through HTML META tags, as shown below: 

<meta name="generator" content="Drupal 7 (http://drupal.org)" />

Proposed resolution

Prevent Drupal 7 from revealing information about itself to unauthenticated users such as automated vulnerability analysis tools. This would include, but is not limited to:

  1. The Drupal application name itself
  2. Drupal's major version number
  3. Drupal's minor version number
  4. Drupal CHANGELOG files
  5. Drupal INSTALL instructions files
  6. Drupal README files

The following changes could deal with some of the above:

  1. Use hook_boot implementation to remove X-Drupal-Cache and X-Generator headers.
  2. Use hook_html_head_alter implementation to remove generator meta tag from HTML.
  3. During install ensure variable page_cache_invoke_hooks is TRUE so X-Drupal-Cache is removed for cached pages.
  4. Document ways to prevent the web server (Apache, Nginx) from serving common Drupal text files such as the CHANGELOG, INSTALL and README files to unauthenticated users.

Remaining tasks

Feature request
Status

Closed: works as designed

Version

2.0

Component

Code

Created by

🇦🇺Australia chOP

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺

    I agree with the assertions that there's very little actual value in removing headers like this and trying to hide Drupal.

    That's part of the reason why I don't think this should be added to the seckit module.

    There are other solutions available if this header really must be removed.

    Thanks for the work that's gone into this issue anyway.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024