[php-maint] Bug#582204: Bug#582204: php5: expose_php should be off by default to remove X-Powered-By headers
Ondřej Surý
ondrej at debian.org
Wed May 19 06:25:31 UTC 2010
tag 582204 +wontfix
severity 582204 wishlist
thank you
Francois,
I don't agree with you (however not much strongly). Security by
obscurity never worked and I am oposed of applying this patch. Hiding
version makes life harder for everybody else but attacker.
Ondrej
On Wed, May 19, 2010 at 06:53, Francois Marier <francois at debian.org> wrote:
> Package: php5
> Version: 5.3.2-1
> Severity: normal
> Tags: patch
>
> I'm sure this has been mentioned before, but it would be nice if expose_php was
> disabled by default in php.ini.
>
> While these headers can be useful in development, they are also revealing the
> exact PHP version that the server is running. We don't need to make attackers'
> lives easier.
>
> This won't prevent a determined attacker from getting in, but it lowers the
> effectiveness of attacks based on mass scanning for vulnerable targets.
>
> Francois
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>
--
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/
More information about the pkg-php-maint
mailing list