[php-maint] Bug#582204: php5: expose_php should be off by default to remove X-Powered-By headers
Francois Marier
francois at debian.org
Wed May 19 04:53:39 UTC 2010
Package: php5
Version: 5.3.2-1
Severity: normal
Tags: patch
I'm sure this has been mentioned before, but it would be nice if expose_php was
disabled by default in php.ini.
While these headers can be useful in development, they are also revealing the
exact PHP version that the server is running. We don't need to make attackers'
lives easier.
This won't prevent a determined attacker from getting in, but it lowers the
effectiveness of attacks based on mass scanning for vulnerable targets.
Francois
-------------- next part --------------
Description: Prevent the addition X-Powered-By headers by web server
While these headers are useful in development, they are also revealing
the exact PHP version that the server is running. We don't need to make
attackers' lives easier.
.
This won't prevent a determined attacker from getting in, but it lowers
the effectiveness of attacks based on simple reconnaissance techniques
to scan for exploitable hosts.
.
Of course one of the downsides of turning this off is that you lose
the PHP easter eggs: http://shiflett.org/blog/2006/feb/php-easter-eggs
Forwarded: not-needed
Origin: vendor
Author: Francois Marier <francois at debian.org>
Last-Update: 2010-05-19
--- php.ini-production.orig 2010-05-19 16:36:29.153744508 +1200
+++ php.ini-production 2010-05-19 16:36:04.654738390 +1200
@@ -428,7 +428,7 @@
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
-expose_php = On
+expose_php = Off
;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
More information about the pkg-php-maint
mailing list