In default PHP configuration option "expose_php" is set to "On". This option allows PHP to show its version in the "X-Powered-By" HTTP header. This allows the attacker to know exactly what version installed in the system and possibly find vulnerability for attack. Reproducible: Always Steps to Reproduce: 1. Install PHP with USE="apache2". 2. Run apache with option -D PHP5. 3. Install some PHP web application or write simple PHP-script. 4. See what headers server sends when you request page from PHP-script. Actual Results: $ wget -S -O /dev/null 'http://localhost/' 2>&1 | grep PHP X-Powered-By: PHP/5.2.12-pl0-gentoo This option (expose_php) can be safely turned off in default PHP configuration in Gentoo, as it does not affect any of the PHP functionality. I think that in the default configuration Gentoo's PHP, expose_php should be set to Off for the same reason that in the settings of Apache "ServerTokens" set to "Prod" (see bug #84063).
Yes, you are right. I've planned to do that in 5.3 anyway, I've applied this change now. See bug 274512 for status on 5.3. Security by obscurity is nothing I want to support, but I see your point.
As promised, this is in php-5.3.2
