TYPO3 website owners can disable the public exposure of the major version by setting a special header in TypoScript as shown below:
config.additionalHeaders.90.header = t3versions: hide-majorFAQ
Discussions, questions and new ideas are welcome. Please use the public channel #t3versions in TYPO3 slack.
Analysis
How can I disable the exposure of the version number for my website?
How does t3versions determine the TYPO3 major version?
t3versions checks the TYPO3 frontend output, the TYPO3 backend login (if available) and the existence of files (fingerprinting), which are unique for each TYPO3 major version. In order to determine unique files for each TYPO3 major version, the files of all available TYPO3 versions (8+ GB of data excluding PHP files) have been analyzed of for uniqueness.
Why is the patch level version not shown?
Although t3versions can determine the patch level version a TYPO3 website uses, the exact patch level version is not shown in public, since a possible attacker could use this information to focus on known TYPO3 security vulnerabilites when attacking a website.
Technical setup
What technical components do t3versions use?
Framework
t3versions is created with the Python framework Django. Core parts of the application are covered with unit tests, that are automatically executed on a GitLab CI runner on every commit. When all tests pass, GitLab deploys the application using fabric to the production server.
TYPO3 Analyzer
The TYPO3 analyzer checks the TYPO3 frontend output, the TYPO3 backend login (if available) and the existence of files (fingerprinting), which are unique for each TYPO3 major version. In order to determine unique files for each TYPO3 major version, the files of all available TYPO3 versions (8+ GB of data excluding PHP files) have been analyzed of for uniqueness.
t3versions bot
In order to discover new websites using TYPO3, a scalable crawler is used to check imported lists with domains for TYPO3 usage. The crawler uses multiprocessing and multithreading features of Python and is able to analyze millions of domains in a short amount of time (depending on amount of workers).
More information about the t3versions bot can be found here.
Task Queue
In order to automate TYPO3 version tests and crawling huge domain lists in the background, a task queue is running with Redis as broker to store tasks.
Workers
The TYPO3 Analyzer and crawler is packed as Docker container and can be deployed to various amount of hosts. Each worker connects to the central Redis queue and processes queued domain scans. Currently, there a 3 host systems available for scanning (all the same config: 6 CPUs, 16 GB RAM)
t3versions API
Do you have an API?
Yes, there is an API with several endpoints of which nearly all require authentication. If you want to check a list of domains for TYPO3 usage, you can get access to specific API endpoints that enable you to queue checks and fetch check results after analysis is finished. Note, that usage of API endpoints are limited to a daily amount of requests per user.
Please check the API documentation in order to find out, if the is useful or your requirements. If so, feel free to contact me to get user credentials.
Note: t3versions is a private project, so there is no claim for either API stability/uptime or support.
Collected data
Can I get a list of all TYPO3 websites for a specific country?
Data is collected for statistical purposes only. I will not hand out domain lists for commercial usage.