php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #32079 PHP "Safe"-Mode not identifiable in X-Powered-By header
Submitted: 2005-02-23 15:17 UTC Modified: 2005-02-23 15:45 UTC
From: milky at users dot sf dot net Assigned:
Status: Wont fix Package: Feature/Change Request
PHP Version: Irrelevant OS: all
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: milky at users dot sf dot net
New email:
PHP Version: OS:

 

 [2005-02-23 15:17 UTC] milky at users dot sf dot net
Description:
------------
PHP sends an "X-Powered-By" header with each request answer, containing a PHP version string. It's also included with the Apache id in its "Server" header.

This version information however misses important informations - for example which sort of PHP is running over there.

If PHP is running in crippled mode, it should identify itself as "SM-PHP/5.03" or just "S/M-PHP" or so. This would significantly benefit the Web hosting provider industry, since fewer contracts would be discarded again after customers find out that they've only be given "Safe"-Mode PHP.

Incorrectly advertising features ("PHP" instead of "S/M-PHP") counts as mischief in central Europe. *hint,hint*

(Given, that there is always either Python or Perl running on "safe"-moded Webservers, it's obvious that this setting was made for dumb providers. No need to discuss that again here; no?)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-02-23 15:31 UTC] derick@php.net
We won't change because of obvious security concerns. External  people should not know exactly what your set-up is.
 [2005-02-23 15:45 UTC] milky at users dot sf dot net
Could you please explain, how it could negatively impact "security" if it is ONLY revealed that your beloved "safe mode" is enabled? After all, it is meant to make PHP "safe", isn't it?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu May 16 22:01:31 2024 UTC