[WEB SECURITY] Securing apache installation with PHP

Gerry Murphy gjm at datadive.com
Thu Jun 2 19:29:31 EDT 2005


Richard Moore wrote:

> Ian Holsman wrote:
>
>>but unfortunatly PHP adds it's own header which ignores the
>>servertokens directive.
>>you will also need to edit your PHP.ini and change expose_php to off
>
> Does this also prevent the 'easter egg' session ids? These also expose
> lots of information.
> 
> http://localhost/phpinfo.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
> http://localhost/phpinfo.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
> http://localhost/phpinfo.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42

I believe you'll find that the above are nothing but images ; the real 
problem is having a publicly viewable webpage containing the following 
php code:

<? phpinfo(); ?>

setting the ini value "expose_php" does not prevent you from making this 
configuration info available.  While this information can be quite 
useful when developing a site, having this available on a live server is 
a risk.

http://www.google.com/search?&q=intitle%3Aphpinfo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3389 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050603/4ed7c651/attachment.p7s>


More information about the websecurity mailing list