[php-maint] Bug#582204: expose_php does more than include X-Powered-By header.

[Simon Waters]

The toggle has two values.

On - default
 Inserts X-Powered-By header with PHP version.
 Causes phpcredits page, PHP and ZEND LOGOs to be displayed in
unexpected fashion where people's webpages would be expected.
 Enables Logos to be displayed in the phpinfo() output.

Off - not default
 Responses are smaller
 Removes unexpected display of credits and logos.
 No Logos are displayed in phpinfo() output.

If it was off, would anyone switch it on? No.

Anyone wishing to obtain compliance to credit card industry standards
must disable it.

Leaving it on creates work for users, who often have to or wish to
disable it, produces unexpected behaviour, and consumes more bandwidth.
It is a rather user hostile position to leave it defaulted to "On".

PHP5.5 will remove the display of phpcredits, and logos, but retains the
X-Powered-By header, and so will still require disabling of this feature
on most serious deployments, but upstream presumably thought the display
of credits and logos an issue enough to remove it from the code base
entirely. My brief inspection of the 5.5a4 code suggests this parameter
will just toggle the X-Powered-By header in 5.5 and later.

The actual display of logos and credits appears secure, in that it
returns the logos though the name of the page requested with different
GUID parameters (so no dependence on other servers). And none of the
pages permit of trivial injection attacks. That said I can imagine it
might be possible to use it to confuse naive search engines, or naive
proxy servers (or naive users), into displaying, caching or indexing the
wrong content for a website. As such having expose_php enabled before
5.5 is potentially a security issue over and above information leakage.
I would advise everyone to disable the option, since it has no upside,
will increase bandwidth costs, and has other potential issues.