I was taking a look Q2A change-log and just noticed that since Version 1.5.1 the file "Version.txt" had been added to Q2A script to show current version of script. it is not a security problem NOW and you don't need to get worried. however common scripts do not simply let visitors(or hackers) know which version of script they are using. because it will be easier to organizes and track exploits and let hackers damage a large number of sites using a simple script that find and hacks these sites. there are even hack tools too show which version of an script a site uses. how it is a thread? Usually when a security update is implemented on an script this unhonorable hackers can find the bug that had been fixed by developers by comparing new and old source codes. then use google to find all sites using old versions of script(without security update) and simply using the unfixed bug to hack a large number of sites which did not have the latest update! now having a version.txt file just makes as easy as typing a single query in google search. if they can not determine which version of Q2A is used by our Q2A sites they will have too manual search in thousands of Q2A sites. Solution: Simply remove the version.txt file. hopefully this file will be removed by Gideon Greenspan in next version.
**** Also I remember when I was looking at Markdown Editor I noticed that it was not sanitizing the input. maybe it needs too be checked too. Q2A is still the best Q&A script best regards
Towhid from QA-Themes.com
Welcome to the Q&A site for Question2Answer.
If you have a question about Q2A, please ask here, in English.
To report a bug, please create a new issue on Github or ask a question here with the bug tag.
If you just want to try Q2A, please use the demo site.
