Please disable expose_php for additional security [#2116387]

Comment #1

omega8cc CreditAttribution: omega8cc commented 20 October 2013 at 22:36

We don't expose PHP at all, not just PHP version, but not at all, so I don't really understand this suggestion. It would make sense for Apache with mod_php, but not for BOA. Where do you see PHP version used exposed publicly? Only site admin can see it in the status page etc and it is a good thing. Besides, it is childishly easy to determine if the site is powered by Drupal even if we would have fake headers all over the place, and it is rather obvious that Drupal runs on PHP, so?

Log in or register to post comments

Comment #2

realityloop

he/him

CreditAttribution: realityloop commented 21 October 2013 at 06:15

examples:

http://realityloop.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
http://realityloop.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

Log in or register to post comments

Comment #3

omega8cc CreditAttribution: omega8cc commented 21 October 2013 at 18:22

As I said, what non-generic, non-specific information is provided that way, besides obvious fact that Drupal is a PHP app?

Log in or register to post comments

Comment #4

realityloop

he/him

CreditAttribution: realityloop commented 21 October 2013 at 23:31

The logo changes every version so it is possible to infer the php version from this.

http://stackoverflow.com/questions/4123558/turning-off-random-php-gif-logo

Log in or register to post comments

Comment #5

omega8cc CreditAttribution: omega8cc commented 22 October 2013 at 11:01

Interesting! Thanks. I think we will rather deny these requests instead of disabling expose_php, to not break the PHP status page (it would remove the image also there etc). Do you think it should fix the problem?