[php-maint] Bug#582204: php5: expose_php should be off by default to remove X-Powered-By headers

[Francois Marier]

Package: php5
Version: 5.3.2-1
Severity: normal
Tags: patch

I'm sure this has been mentioned before, but it would be nice if expose_php was
disabled by default in php.ini.

While these headers can be useful in development, they are also revealing the
exact PHP version that the server is running. We don't need to make attackers'
lives easier.

This won't prevent a determined attacker from getting in, but it lowers the
effectiveness of attacks based on mass scanning for vulnerable targets.

Francois
-------------- next part --------------
Description: Prevent the addition X-Powered-By headers by web server
 While these headers are useful in development, they are also revealing
 the exact PHP version that the server is running. We don't need to make
 attackers' lives easier.
 .
 This won't prevent a determined attacker from getting in, but it lowers
 the effectiveness of attacks based on simple reconnaissance techniques
 to scan for exploitable hosts.
 .
 Of course one of the downsides of turning this off is that you lose
 the PHP easter eggs: http://shiflett.org/blog/2006/feb/php-easter-eggs
Forwarded: not-needed
Origin: vendor
Author: Francois Marier <francois at debian.org>
Last-Update: 2010-05-19

--- php.ini-production.orig	2010-05-19 16:36:29.153744508 +1200
+++ php.ini-production	2010-05-19 16:36:04.654738390 +1200
@@ -428,7 +428,7 @@
 ; threat in any way, but it makes it possible to determine whether you use PHP
 ; on your server or not.
 ; http://php.net/expose-php
-expose_php = On
+expose_php = Off
 
 ;;;;;;;;;;;;;;;;;;;
 ; Resource Limits ;