Last Updated: May 23, 2019
· tlackemann

Your PHP site may not be secure

Do you know about PHP easter eggs? I've encountered this often and it's actually pretty alarming - go to any PHP site and add this to the end of the URL


Do you see the PHP credits? If so then your PHP site is exposing sensitive information to your visitors. While the page itself may not contain anything harmful, a clever visitor could inspect what version of PHP you're running by looking at the headers and find a security flaw associated with that version.

It's good practice to always make sure

expose_php = off

is set in your php.ini file

15 Responses
Add your response


that's horrible ! thanks for the tips :)

over 1 year ago ·

Good tip there - and something I have been doing for years - but good to share it around! :D

over 1 year ago ·

But it shows only credits, it does not show any php version information. Why do you find this a security issue?

over 1 year ago ·

@simasj Knowing the version of PHP makes it easier for bad guys to exploit known vulnerabilities

If you are on shared-server hosting and don't have access to php.ini, you can deny access to PHP credits in the .htaccess :

RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]

Edit : you can also use header_remove('x-powered-by');

over 1 year ago ·

@pyrech Thanks! Yeah I thought I mentioned that even though the page isn't harmful, the headers being sent are. Another way to prevent this (at least for something like GoDaddy) is to create a php.ini file in your root web directory and set expose_php = off

over 1 year ago ·

Actually the PHP version can be found in HTTP headers. But that is valid on any other page, not just for credits page, if expose_php is active.

over 1 year ago ·

Also, more than likely this will be dropped from PHP 5.5 once it goes final -> https://bugs.php.net/bug.php?id=55497 along with the logo/image GUID's that exist.

over 1 year ago ·

Question... I made the change in php.ini, but the credits page still appears. Is this normal?

over 1 year ago ·

I don't think you should be shoving the responsibility on yourself or your website by saying a PHP Site is insecure because of this.

A web server that is running an older version will always be vulnerable to bugs that are not yet fixed. So what you should be saying is Your Web Server may not be secure.

over 1 year ago ·

what about /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
i dont think this is unsecure....

over 1 year ago ·

Thanks for the tip!

over 1 year ago ·

Actually, the X-Powered-By header is way more important, because it tells the user the PHP version.
The fact that a site is powered by PHP alone does not make it attackable.

over 1 year ago ·

@abimaelmartell Haha it made me laugh !

over 1 year ago ·

@simasj It shows every module installed on your system - potentially revealing a great deal about your app processing and algorithms. In short, somebody will be able to see how you're hashing passwords, what type of database your app is using, how you're manipulating images, what version of Apache, etc. Why allow all that out when you can prevent it? :)

over 1 year ago ·

@paulstatezny - did you restart your web-server after making the change?

over 1 year ago ·