PHP :: Bug #30892 :: expose_php *is* effectively a security threat

Bug #30892	expose_php is effectively a security threat
Submitted:	2004-11-25 06:21 UTC	Modified:	2004-11-25 23:05 UTC
From:	mark_php at stewards dot telinco dot co dot uk	Assigned:
Status:	Not a bug	Package:	PHP options/info functions
PHP Version:	5.0.2	OS:	Windows XP SP2
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2004-11-25 06:21 UTC] mark_php at stewards dot telinco dot co dot uk

Description:
------------
A very minor issue - I think the wording could be more informative, given today's apathy for updating.  expose_php *can be* a security threat if the user doesn't keep PHP up-to-date.

Hiding it doesn't make a server more secure, but will protect from large-scale sweeps, and I've seen it used as an excuse not to update.  On the other hand, it stops the considerate people noticing (not really a factor for a sensible admin) and breaks web-software surveys.

I'd suggest changing it to something like "It is not a security threat on its own", and adding "Do not remove this to hide the fact that you don't update - join the PHP announcements list.".

Reproduce code:
---------------
;
; Misc
;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = On

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-11-25 23:05 UTC] iliaa@php.net

not an issue.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 27 18:01:35 2024 UTC