[WEB SECURITY] Securing apache installation with PHP

Richard Moore rich at westpoint.ltd.uk
Wed Jun 1 04:29:42 EDT 2005



Ian Holsman wrote:
> nice try,
> but unfortunatly PHP adds it's own header which ignores the
> servertokens directive.
> you will also need to edit your PHP.ini and change expose_php to off
> ; Misc
> ; 
> ; Decides whether PHP may expose the fact that it is installed on the server
> ; (e.g. by adding its signature to the Web server header).  It is no security
> ; threat in any way, but it makes it possible to determine whether you use PHP
> ; on your server or not.
> expose_php = off

Does this also prevent the 'easter egg' session ids? These also expose
lots of information.

http://localhost/phpinfo.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
http://localhost/phpinfo.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
http://localhost/phpinfo.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42

Cheers

Rich.
-- 
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list