Posted by: prajapatinilesh | January 21, 2008

Exposing PHP is a Security Risk

In php.ini, there is this:
; Misc
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = On

What this means is that for every request that calls on PHP, it sends an additional header that looks something like this:

X-Powered-By: PHP/5.2.3-1ubuntu6

With PHP, it’s all or bust. Not PHP/5 or just PHP. You can overwrite every version by doing something like:

header("X-Powered-By: Cookies-and-Sess/2.5");

Or something similar, but you have to do it manually for every script. There isn’t really a server wide override.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: