Package: php5 Version: 5.3.2-1 Severity: normal Tags: patch I'm sure this has been mentioned before, but it would be nice if expose_php was disabled by default in php.ini.
While these headers can be useful in development, they are also revealing the exact PHP version that the server is running. We don't need to make attackers' lives easier. This won't prevent a determined attacker from getting in, but it lowers the effectiveness of attacks based on mass scanning for vulnerable targets. Francois
Description: Prevent the addition X-Powered-By headers by web server While these headers are useful in development, they are also revealing the exact PHP version that the server is running. We don't need to make attackers' lives easier. . This won't prevent a determined attacker from getting in, but it lowers the effectiveness of attacks based on simple reconnaissance techniques to scan for exploitable hosts. . Of course one of the downsides of turning this off is that you lose the PHP easter eggs: http://shiflett.org/blog/2006/feb/php-easter-eggs Forwarded: not-needed Origin: vendor Author: Francois Marier <franc...@debian.org> Last-Update: 2010-05-19 --- php.ini-production.orig 2010-05-19 16:36:29.153744508 +1200 +++ php.ini-production 2010-05-19 16:36:04.654738390 +1200 @@ -428,7 +428,7 @@ ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not. ; http://php.net/expose-php -expose_php = On +expose_php = Off ;;;;;;;;;;;;;;;;;;; ; Resource Limits ;
