HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How can I find out what Vanilla OSS version an instance is running?

If I find a Vanilla deployment in the wild, how can I tell what version it is?

I see a Vanilla() object in the console, but if I click on it, I can't tell much? Here for instance, I see `@copyright 2009-2018 Vanilla Forums Inc.`.

Comments

  • You are not supposed to be able to find out the version easily for security reasons.

  • I see, security through obscurity.

  • Yes some people for all sorts of reasons run older versions of vanilla that have known security issues.

  • I don't think that has ever been any reason for not printing the version number.

    As an admin you find it in the dashboard. But you can always find it in the HTML source. The version number is attached to the css and js assets. Every asset has the version number of its origin attached, so you might find different version numbers, so you need to find out the correct asset. I cannot give you a full proof asset name, but with this info you will surely find it out yourself

  • K17K17 ✭✭✭
    edited January 2021

    @ianw5555 Vanilla version has never been sensitive information, and is easily accessible throught any HTML inspector for all Vanilla 2/3 installations (and for Vanilla 1 it is printed on the page itself). Security throught obscurity is not really a thing as it is open source software. But you can easily know wich Vanilla is open source or cloud almost open source by checking the version number of some css assets. If the number is simple (like 3.3) that's open source. If it is a strange string (like 5fd8f0e6), that's Vanilla Cloud.

  • Thanks, I see links to `/static-asset/cl30011/js/library/jquery.js?v=5fd8f0e6`, so that means Cloud, and I guess "cl30011" stands for version 3.0.... something? Haven't see the current version of Cloud somewhere obvious on vanillaforums.com.

  • K17K17 ✭✭✭

    I don't remember seeing actual cloud "versions", as it seems continously (and surely synced) updated.

  • x00x00 MVP
    edited January 2021

    There is no obligation for sites you don't run to provide that information

    You can ask

    Also in the HTTP response header

    x-vanilla-version: 4.0-2020.024

    grep is your friend.

Sign In or Register to comment.