Expose to the world that PHP is installed on the server

Expose to the world that PHP is installed on the server. Or not! • Inchoo

Recently my colleague asked me do I know what will happen if you type in URL “?=PHPE9568F34-D428-11d2-A769-00AA001ACF42“. I forgot about that and I didn’t know the answer instantly. Probably in time of learning PHP and related stuff I’ve noticed that query param and I didn’t know what consequences it could exploit. Maybe in that time I said… OK you can see PHP logo but who cares!? But recently when I saw that and when I looked once again HTTP header I saw what security issue could be if you echo to the world your PHP version (X-Powered-By:) and server header info (Server:). Probably all of you saw some “hacker websites” where you can find exploits for various CMS/Frameworks with their versions and platforms on which exploits could be accomplish. So probably you can now guess in which direction this post will go.

For more info about expose_php take a look this link.

Okay. So we have 2 HTTP headers: “X-Powered-By” and “Server” which I want to mention here.

Let’s see php.net website:

So from the image above we can see version of PHP and Apache. Now if we know that there is some bug on those version probably we will be able to hack php.net. Notice that php.net has the most latest and stable version of PHP. Do you have the same? Probably not. If you’re running PHP 5.3.5 please take a look ChangeLog on php.net for PHP version 5.3.6 and see how many bug-fixes developers behind the PHP have done! If you’re not always up to date with all of your software on your server you should hide your PHP and Server version from the world.

So how to hide your PHP version and perhaps Apache version from the world. First visit your website (http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42) and look into the header info. If you see those values for PHP and Apache follow next 2 steps:

1) How to hide “X-Powered-By” value from HTTP header

In the php.ini file you can search for expose_php line and see if it’s set to On (default is On). If that’s the case then you should change “expose_php = On” to “expose_php = Off“. Restart your Apache and see header again or see your website, http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42

On my local machine you can see:

a) before change

b) after changes (and restarting Apache)

2) How to “hide” “Server” value from HTTP header

In httpd.conf (Apache) file you can search for “LoadModule headers_module modules/mod_headers.so” and if it’s enabled you can add at the bottom of the file next lines:

1
2
3
4
5
6
ServerSignature Off
ServerTokens Prod
<ifmodule mod_headers.c>
  Header unset Server
  Header unset X-Powered-By
</ifmodule>

After changes and restarting Apache:

Notice that we didn’t actually hide Server info, we only set Server to only Apache – without any version info.

Note. If you add only 2) without changing php.ini 1), everyone will be able to run something like this: http://example.com/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 and see PHP logo.

Also, if you check Google, FB, Magento,… HTTP header for those information you’ll see that they had hide their “sensitive” info.