Expose to the world that PHP is installed on the server. Or not!
Recently my colleague asked me do I know what will happen if you type in URL “?=PHPE9568F34-D428-11d2-A769-00AA001ACF42“. I forgot about that and I didn’t know the answer instantly. Probably in time of learning PHP and related stuff I’ve noticed that query param and I didn’t know what consequences it could exploit. Maybe in that time I said… OK you can see PHP logo but who cares!? But recently when I saw that and when I looked once again HTTP header I saw what security issue could be if you echo to the world your PHP version (X-Powered-By:) and server header info (Server:). Probably all of you saw some “hacker websites” where you can find exploits for various CMS/Frameworks with their versions and platforms on which exploits could be accomplish. So probably you can now guess in which direction this post will go.
For more info about expose_php take a look this link.
Okay. So we have 2 HTTP headers: “X-Powered-By” and “Server” which I want to mention here.
Let’s see php.net website:
So from the image above we can see version of PHP and Apache. Now if we know that there is some bug on those version probably we will be able to hack php.net. Notice that php.net has the most latest and stable version of PHP. Do you have the same? Probably not. If you’re running PHP 5.3.5 please take a look ChangeLog on php.net for PHP version 5.3.6 and see how many bug-fixes developers behind the PHP have done! If you’re not always up to date with all of your software on your server you should hide your PHP and Server version from the world.
So how to hide your PHP version and perhaps Apache version from the world. First visit your website (http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42) and look into the header info. If you see those values for PHP and Apache follow next 2 steps:
1) How to hide “X-Powered-By” value from HTTP header
In the php.ini file you can search for expose_php line and see if it’s set to On (default is On). If that’s the case then you should change “expose_php = On” to “expose_php = Off“. Restart your Apache and see header again or see your website, http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
On my local machine you can see:
a) before change
b) after changes (and restarting Apache)
2) How to “hide” “Server” value from HTTP header
In httpd.conf (Apache) file you can search for “LoadModule headers_module modules/mod_headers.so” and if it’s enabled you can add at the bottom of the file next lines:
ServerSignature Off
ServerTokens Prod
<ifmodule mod_headers.c>
Header unset Server
Header unset X-Powered-By
</ifmodule>After changes and restarting Apache:
Notice that we didn’t actually hide Server info, we only set Server to only Apache – without any version info.
Note. If you add only 2) without changing php.ini 1), everyone will be able to run something like this: http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 and see PHP logo.
Also, if you check Google, FB, Magento,… HTTP header for those information you’ll see that they had hide their “sensitive” info.
12 comments
nice post I got lots of knowledge from this post but I have an error msvcr110. problem while running php server in my pc what can i do?
How to hide these details if the website hosted on a shared server
Nice Pavel Novitsky. set header is the best way to serve hacker 🙂
Nice post, but in Magento’s case we have the “frontend” cookie who is trickier to hide.
And extensions like “Builtwith” that have a large database.
How do we trick that tools? 🙂
@Pavel
LOOOOL qBasic rulz 😀
I like not to hide X-Powered-By header, but add some easter eggs:
@Björn
I think that you can set ServerSignature via htaccess file. If you are able – DO IT through configuration file because of performance gains… If you have high traffic site you can hide as much data in headers as possible and your server will send only few headers responses and you’ll save some net traffic.
About hiding ServerSignature via htaccess file:
http://httpd.apache.org/docs/current/mod/core.html#serversignature
http://perishablepress.com/stupid-htaccess-tricks/
Thanks Ivan for bringing this to our attention. I’ve applied the changes to some of our servers. Is there a way to set the ServerSignature even via htaccess?
Thx Ivan for this interessting post!
Thanks Rob!
Thanks for the post, but for those who cannot edit php.ini on their hosting platform.
There are four different query stings in php.
Brings up the logo as above in your post.
Brings up the credits.
Brings up the Zend Engine version logo.
I have a part way fix which you can add to your magento .htaccess file. Which uses regex to redirect any different php type string to the forbidden page.
Hope that helps!
Rob.
Interesting post.
Security is very important subject, specially in eCommerce systems which perform money transactions.
Developers should be aware of the security issues and distinguish between development and production environment.