go to bug id or search bugs for
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 displays php credits, it also displays
credits for all modules.
This effectively makes it a security issue since it allows an attacker to scan for
a specific vulnerable module and then exploit it.
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 should be disabled by default, or
display generic information only. The current behavior is unacceptable.
Specific information regarding installed modules is displayed.
Add a Patch
Add a Pull Request
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
Attackers can easily brute force without knowing the version. But if youfear this makes things insecure you can set expose_php=Off in php.ini.
Sorry, but it is a real issue.
It should be disabled by default.
Nope - this is not a bug.
Just disable it in your config file.
I agree with mhaisley, this is a security vulnerability and should be disabled by
default. Many PCI compliance scanners will fail a site if it is turned on.
I realize that it's not a major vulnerability, but it does give attackers
information that could help them compromise a system. What are the benefits of
having it enabled by default? I can't think of any significant ones. Whatever
benefits there are, they'd have to outweigh the downsides, and that doesn't seem
likely in this case.
@ian_dunn: The logo GUIDs have been removed in master. So presumably this issue (whether it actually is one or not) will not exist anymore in PHP 5.5.
nikic, but now I know when PHP is 5.5 or higher easily. Or isn't?
That's really BS, what's the point of having those info available? If the server owner what's to know about PHP stuff they can simply use the already know phpinfo(). What a waste of resources having it to process such useless page. I may not be a bug, but it's a bad design choice then. I got shocked when I found out about the param and realized that it was working in a website of mine, where I don't have access to php.ini then I'm not sure if I can disable such option. Fix... err... CHANGE it now! And I don't mean simply making it disabled by default, I mean scratching it out for good.