Expose to the world that PHP is installed on the server. Or not!

expose

Recently my colleague asked me do I know what will happen if you type in URL “?=PHPE9568F34-D428-11d2-A769-00AA001ACF42“. I forgot about that and I didn’t know the answer instantly. Probably in time of learning PHP and related stuff I’ve noticed that query param and I didn’t know what consequences it could exploit. Maybe in that time I said… OK you can see PHP logo but who cares!? But recently when I saw that and when I looked once again HTTP header I saw what security issue could be if you echo to the world your PHP version (X-Powered-By:) and server header info (Server:). Probably all of you saw some “hacker websites” where you can find exploits for various CMS/Frameworks with their versions and platforms on which exploits could be accomplish. So probably you can now guess in which direction this post will go.

For more info about expose_php take a look this link.

Okay. So we have 2 HTTP headers: “X-Powered-By” and “Server” which I want to mention here.

Let’s see php.net website:

So from the image above we can see version of PHP and Apache. Now if we know that there is some bug on those version probably we will be able to hack php.net. Notice that php.net has the most latest and stable version of PHP. Do you have the same? Probably not. If you’re running PHP 5.3.5 please take a look ChangeLog on php.net for PHP version 5.3.6 and see how many bug-fixes developers behind the PHP have done! If you’re not always up to date with all of your software on your server you should hide your PHP and Server version from the world.

So how to hide your PHP version and perhaps Apache version from the world. First visit your website (http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42) and look into the header info. If you see those values for PHP and Apache follow next 2 steps:

1) How to hide “X-Powered-By” value from HTTP header

In the php.ini file you can search for expose_php line and see if it’s set to On (default is On). If that’s the case then you should change “expose_php = On” to “expose_php = Off“. Restart your Apache and see header again or see your website, http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42

On my local machine you can see:
a) before change

b) after changes (and restarting Apache)

2) How to “hide” “Server” value from HTTP header

In httpd.conf (Apache) file you can search for “LoadModule headers_module modules/mod_headers.so” and if it’s enabled you can add at the bottom of the file next lines:

ServerSignature Off
ServerTokens Prod
<ifmodule mod_headers.c>
  Header unset Server
  Header unset X-Powered-By
</ifmodule>

After changes and restarting Apache:

Notice that we didn’t actually hide Server info, we only set Server to only Apache – without any version info.

Note. If you add only 2) without changing php.ini 1), everyone will be able to run something like this: http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 and see PHP logo.

Also, if you check Google, FB, Magento,… HTTP header for those information you’ll see that they had hide their “sensitive” info.

10
Top

Care to rate this post?

Author

Ivan Galambos

Backend Developer

Ivan worked at Inchoo from February 2011 to November 2013 as a Backend Developer.

Other posts from this author

Discussion 10 Comments

Add Comment
  1. Zvonimir Buric

    Interesting post.
    Security is very important subject, specially in eCommerce systems which perform money transactions.
    Developers should be aware of the security issues and distinguish between development and production environment.

  2. Thanks for the post, but for those who cannot edit php.ini on their hosting platform.

    There are four different query stings in php.

    ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
    Brings up a different logo depending on your php version.
    ?=PHPE9568F34-D428-11d2-A769-00AA001ACF42

    Brings up the logo as above in your post.

    ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

    Brings up the credits.

    ?=PHPE9568F35-D428-11d2-A769-00AA001ACF42

    Brings up the Zend Engine version logo.

    I have a part way fix which you can add to your magento .htaccess file. Which uses regex to redirect any different php type string to the forbidden page.

    ############################################
    ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
    ## your PHP version).
    	RewriteCond %{QUERY_STRING} \=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12} [NC]
    	RewriteRule .* - [F]
    

    Hope that helps!

    Rob.

  3. Thanks Rob!

  4. Thx Ivan for this interessting post!

  5. Thanks Ivan for bringing this to our attention. I’ve applied the changes to some of our servers. Is there a way to set the ServerSignature even via htaccess?

  6. @Björn

    I think that you can set ServerSignature via htaccess file. If you are able – DO IT through configuration file because of performance gains… If you have high traffic site you can hide as much data in headers as possible and your server will send only few headers responses and you’ll save some net traffic.

    About hiding ServerSignature via htaccess file:
    http://httpd.apache.org/docs/current/mod/core.html#serversignature

    http://perishablepress.com/stupid-htaccess-tricks/

    Disable the Server Signature ^
    Here we are disabling the digital signature that would otherwise identify the server:
    # disable the server signature
    ServerSignature Off
  7. I like not to hide X-Powered-By header, but add some easter eggs:

    Header set Message "Welcome to BelVG, we hire!"
    Header set X-Powered-By "qBasic-1.7"
  8. @Pavel

    LOOOOL qBasic rulz :D

  9. Marius

    Nice post, but in Magento’s case we have the “frontend” cookie who is trickier to hide.
    And extensions like “Builtwith” that have a large database.

    How do we trick that tools? :)

  10. Nice Pavel Novitsky. set header is the best way to serve hacker :)

Add Your Comment

Please wrap all source codes with [code][/code] tags.
Top