Skip to content

expose_php defaults to off in production #3335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

expose_php defaults to off in production #3335

wants to merge 1 commit into from

Conversation

Slamdunk
Copy link

The comment says It is no security threat in any way but I think it is: if an old server exposes a version that is known to be buggy it is far easier to exploit vulnerabilities (e.g. https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/)

@smalyshev
Copy link
Contributor

It doesn't make any easier to exploit vulnerabilities. It may make easier to know that particular site has some vulnerabilities, but for sites that run old PHP version it'd be just security via obscurity, which is not a good idea. No idea how the link you've posted is relevant to this.

@bukka
Copy link
Member

bukka commented Sep 7, 2018

Well it can make targeting the vulnerable version easier for an attacker especially if the attack requires some resources. I have actually seen this reported in some security reviews (private reviews of the website). Personally I don't think it's a big issue but had to disable it anyway. Considering that it doesn't have any value, I would be for disabling it in production ini.

@petk
Copy link
Member

petk commented Sep 7, 2018

What about adding a new optional header X-Powered-By that would show only PHP and no version?

So, instead of this in the production:

X-Powered-By: PHP/7.2.9

this might be more appropriate:

X-Powered-By: PHP

That way, PHP is still advertised in this output yet with a bit less security concerns. Otherwise, I think today most apps disable this header or adjust it differently. For development it's good to know the version though.

@nikic
Copy link
Member

nikic commented Sep 8, 2018

@petk Only showing the minor version (PHP/7.2 or PHP/7.2.99) would be another possibility. Still allows gathering version stats without exposing the exact patch level.

@KalleZ
Copy link
Member

KalleZ commented Sep 8, 2018

Either way, I think this is something that should be discussed at least on internals first before a decision should be made in regards to this

@php-pulls
Copy link

Comment on behalf of petk at php.net:

Labelling

@petk
Copy link
Member

petk commented Oct 12, 2018

Some labels applied to help organize issues here better. To see how to bring this up to the internals mailing list see info at http://php.net/mailing-lists.php

In case there is a need for help with bringing this up to the mailing list let me know to ask there for more views what to do here. Personally, I would go for what was suggested above: X-Powered-By: PHP 7.2 because there are actual sites out there that want to show this info. Security concern with showing this particular information is not more problematic than other aspects of the site.

@Nyholm Nyholm mentioned this pull request Aug 13, 2019
Closed
@krakjoe
Copy link
Member

krakjoe commented May 10, 2021

This appears to have gone stale, so closing now.

The change would be all but meaningless anyway, we don't really decide configuration, package maintainers do.

@krakjoe krakjoe closed this May 10, 2021
@Krinkle Krinkle mentioned this pull request Aug 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Feature Waiting on Author
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@Slamdunk @smalyshev @bukka @petk @nikic @KalleZ @php-pulls @krakjoe