php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #30892 expose_php *is* effectively a security threat
Submitted: 2004-11-25 06:21 UTC Modified: 2004-11-25 23:05 UTC
From: mark_php at stewards dot telinco dot co dot uk Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 5.0.2 OS: Windows XP SP2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mark_php at stewards dot telinco dot co dot uk
New email:
PHP Version: OS:

 

 [2004-11-25 06:21 UTC] mark_php at stewards dot telinco dot co dot uk 
Description:
------------
A very minor issue - I think the wording could be more informative, given today's apathy for updating.  expose_php *can be* a security threat if the user doesn't keep PHP up-to-date.

Hiding it doesn't make a server more secure, but will protect from large-scale sweeps, and I've seen it used as an excuse not to update.  On the other hand, it stops the considerate people noticing (not really a factor for a sensible admin) and breaks web-software surveys.

I'd suggest changing it to something like "It is not a security threat on its own", and adding "Do not remove this to hide the fact that you don't update - join the PHP announcements list.".

Reproduce code:
---------------
;
; Misc
;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = On

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-11-25 23:05 UTC] iliaa@php.net 
not an issue.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Apr 28 12:01:28 2024 UTC