Your PHP site may not be secure
Do you know about PHP easter eggs? I've encountered this often and it's actually pretty alarming - go to any PHP site and add this to the end of the URL
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Do you see the PHP credits? If so then your PHP site is exposing sensitive information to your visitors. While the page itself may not contain anything harmful, a clever visitor could inspect what version of PHP you're running by looking at the headers and find a security flaw associated with that version.
It's good practice to always make sure
expose_php = offis set in your php.ini file
Written by Thomas Lackemann
Related protips
15 Responses
that's horrible ! thanks for the tips :)
Good tip there - and something I have been doing for years - but good to share it around! :D
But it shows only credits, it does not show any php version information. Why do you find this a security issue?
@simasj Knowing the version of PHP makes it easier for bad guys to exploit known vulnerabilities
If you are on shared-server hosting and don't have access to php.ini, you can deny access to PHP credits in the .htaccess :
RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]
Edit : you can also use header_remove('x-powered-by');
@pyrech Thanks! Yeah I thought I mentioned that even though the page isn't harmful, the headers being sent are. Another way to prevent this (at least for something like GoDaddy) is to create a php.ini file in your root web directory and set expose_php = off
Actually the PHP version can be found in HTTP headers. But that is valid on any other page, not just for credits page, if expose_php is active.
Also, more than likely this will be dropped from PHP 5.5 once it goes final -> https://bugs.php.net/bug.php?id=55497 along with the logo/image GUID's that exist.
Question... I made the change in php.ini, but the credits page still appears. Is this normal?
I don't think you should be shoving the responsibility on yourself or your website by saying a PHP Site is insecure because of this.
A web server that is running an older version will always be vulnerable to bugs that are not yet fixed. So what you should be saying is Your Web Server may not be secure.
what about /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
i dont think this is unsecure....
Thanks for the tip!
Actually, the X-Powered-By header is way more important, because it tells the user the PHP version.
The fact that a site is powered by PHP alone does not make it attackable.
@abimaelmartell Haha it made me laugh !
@simasj It shows every module installed on your system - potentially revealing a great deal about your app processing and algorithms. In short, somebody will be able to see how you're hashing passwords, what type of database your app is using, how you're manipulating images, what version of Apache, etc. Why allow all that out when you can prevent it? :)
@paulstatezny - did you restart your web-server after making the change?
Have a fresh tip? Share with Coderwall community!
