[WEB SECURITY] Securing apache installation with PHP

Ivan Ristic ivan.ristic at gmail.com
Wed Jun 1 17:31:22 EDT 2005


On 6/1/05, Richard Moore <rich at westpoint.ltd.uk> wrote:
> 
> Ian Holsman wrote:
> > nice try,
> > but unfortunatly PHP adds it's own header which ignores the
> > servertokens directive.
> > you will also need to edit your PHP.ini and change expose_php to off
> > ; Misc
> > ;
> > ; Decides whether PHP may expose the fact that it is installed on the server
> > ; (e.g. by adding its signature to the Web server header).  It is no security
> > ; threat in any way, but it makes it possible to determine whether you use PHP
> > ; on your server or not.
> > expose_php = off
> 
> Does this also prevent the 'easter egg' session ids? These also expose
> lots of information.

It did the last time I checked. I doubt they changed it.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list