Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 300695

Summary: dev-lang/php-5.2.12: Clients can see the version of PHP with default configuration
Product: Gentoo Linux Reporter: Ivan Mironov <mironov.ivan>
Component: [OLD] DevelopmentAssignee: PHP Bugs <php-bugs>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 274512    
Bug Blocks:    

Description Ivan Mironov 2010-01-12 11:01:35 UTC 
In default PHP configuration option "expose_php" is set to "On". This option allows PHP to show its version in the "X-Powered-By" HTTP header. This allows the attacker to know exactly what version installed in the system and possibly find vulnerability for attack.

Reproducible: Always

Steps to Reproduce:
1. Install PHP with USE="apache2".
2. Run apache with option -D PHP5.
3. Install some PHP web application or write simple PHP-script.
4. See what headers server sends when you request page from PHP-script.

Actual Results:  
$ wget -S -O /dev/null 'http://localhost/' 2>&1 | grep PHP
  X-Powered-By: PHP/5.2.12-pl0-gentoo



This option (expose_php) can be safely turned off in default PHP configuration in Gentoo, as it does not affect any of the PHP functionality.

I think that in the default configuration Gentoo's PHP, expose_php should be set to Off for the same reason that in the settings of Apache "ServerTokens" set to "Prod" (see bug #84063).
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2010-01-12 16:55:13 UTC 
Yes, you are right. I've planned to do that in 5.3 anyway, I've applied this change now.
See bug 274512 for status on 5.3.

Security by obscurity is nothing I want to support, but I see your point.
Comment 2 Matti Bickel (RETIRED) gentoo-dev 2010-06-11 19:58:56 UTC 
As promised, this is in php-5.3.2