PHP :: Request #32079 :: PHP "Safe"-Mode not identifiable in X-Powered-By header

Request #32079	PHP "Safe"-Mode not identifiable in X-Powered-By header
Submitted:	2005-02-23 15:17 UTC	Modified:	2005-02-23 15:45 UTC
From:	milky at users dot sf dot net	Assigned:
Status:	Wont fix	Package:	Feature/Change Request
PHP Version:	Irrelevant	OS:	all
Private report:	No	CVE-ID:	None

[2005-02-23 15:17 UTC] milky at users dot sf dot net

Description:
------------
PHP sends an "X-Powered-By" header with each request answer, containing a PHP version string. It's also included with the Apache id in its "Server" header.

This version information however misses important informations - for example which sort of PHP is running over there.

If PHP is running in crippled mode, it should identify itself as "SM-PHP/5.03" or just "S/M-PHP" or so. This would significantly benefit the Web hosting provider industry, since fewer contracts would be discarded again after customers find out that they've only be given "Safe"-Mode PHP.

Incorrectly advertising features ("PHP" instead of "S/M-PHP") counts as mischief in central Europe. *hint,hint*

(Given, that there is always either Python or Perl running on "safe"-moded Webservers, it's obvious that this setting was made for dumb providers. No need to discuss that again here; no?)

Patches

Pull Requests

History

[2005-02-23 15:31 UTC] derick@php.net

We won't change because of obvious security concerns. External  people should not know exactly what your set-up is.

[2005-02-23 15:45 UTC] milky at users dot sf dot net

Could you please explain, how it could negatively impact "security" if it is ONLY revealed that your beloved "safe mode" is enabled? After all, it is meant to make PHP "safe", isn't it?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 16 08:01:33 2024 UTC