w_m5aa
Last Updated: February 25, 2016
·
6.536K
· tlackemann
Me

Your PHP site may not be secure

Do you know about PHP easter eggs? I've encountered this often and it's actually pretty alarming - go to any PHP site and add this to the end of the URL

?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

Do you see the PHP credits? If so then your PHP site is exposing sensitive information to your visitors. While the page itself may not contain anything harmful, a clever visitor could inspect what version of PHP you're running by looking at the headers and find a security flaw associated with that version.

It's good practice to always make sure

expose_php = off

is set in your php.ini file

Say Thanks
Respond

15 Responses
Add your response

2088
E74b1337074fe5d00bbcb57f54963cbe

that's horrible ! thanks for the tips :)

over 1 year ago ·
2095
Df1412e1775840374894798d5ed9a7ea

Good tip there - and something I have been doing for years - but good to share it around! :D

over 1 year ago ·
2096

But it shows only credits, it does not show any php version information. Why do you find this a security issue?

over 1 year ago ·
2108
Php

@simasj Knowing the version of PHP makes it easier for bad guys to exploit known vulnerabilities

If you are on shared-server hosting and don't have access to php.ini, you can deny access to PHP credits in the .htaccess :

RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]

Edit : you can also use header_remove('x-powered-by');

over 1 year ago ·
2124
Me

@pyrech Thanks! Yeah I thought I mentioned that even though the page isn't harmful, the headers being sent are. Another way to prevent this (at least for something like GoDaddy) is to create a php.ini file in your root web directory and set expose_php = off

over 1 year ago ·
2342
40cd1350403e5f6511745afed34d69ae

Actually the PHP version can be found in HTTP headers. But that is valid on any other page, not just for credits page, if expose_php is active.

over 1 year ago ·
2740
Df1412e1775840374894798d5ed9a7ea

Also, more than likely this will be dropped from PHP 5.5 once it goes final -> https://bugs.php.net/bug.php?id=55497 along with the logo/image GUID's that exist.

over 1 year ago ·
3463

Question... I made the change in php.ini, but the credits page still appears. Is this normal?

over 1 year ago ·
3959
Photo 548884

I don't think you should be shoving the responsibility on yourself or your website by saying a PHP Site is insecure because of this.

A web server that is running an older version will always be vulnerable to bugs that are not yet fixed. So what you should be saying is Your Web Server may not be secure.

over 1 year ago ·
5451
Df8e5930113ab9844be90e1271e153fb

what about /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
i dont think this is unsecure....

over 1 year ago ·
5505
Acd96b5e53990969373fff721f4541e8

Thanks for the tip!

over 1 year ago ·
5508
13ed268ca670064bf9972ad533d28584

Actually, the X-Powered-By header is way more important, because it tells the user the PHP version.
The fact that a site is powered by PHP alone does not make it attackable.

over 1 year ago ·
5520
98578c983f4e3ab3e3e922568baa6cf0

@abimaelmartell Haha it made me laugh !

over 1 year ago ·
5734
417498 10151153156635763 1285772914 n

@simasj It shows every module installed on your system - potentially revealing a great deal about your app processing and algorithms. In short, somebody will be able to see how you're hashing passwords, what type of database your app is using, how you're manipulating images, what version of Apache, etc. Why allow all that out when you can prevent it? :)

over 1 year ago ·
9507
0  kgzflqgis lpmbxrafbf1kyixnoadbxrqwff 83qjcaaw8kynsnttqflt93tonh1pxqhvtita2v

@paulstatezny - did you restart your web-server after making the change?

over 1 year ago ·