Posted by: prajapatinilesh | January 21, 2008

Exposing PHP is a Security Risk

In php.ini, there is this:
; Misc
;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = On

What this means is that for every request that calls on PHP, it sends an additional header that looks something like this:

X-Powered-By: PHP/5.2.3-1ubuntu6

With PHP, it’s all or bust. Not PHP/5 or just PHP. You can overwrite every version by doing something like:

<?php
header("X-Powered-By: Cookies-and-Sess/2.5");
?>

Or something similar, but you have to do it manually for every script. There isn’t really a server wide override.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: