By Default PHP installation exposes to the world that PHP is installed
on the server. Need to modify the php.ini and set
the expose_php variable to Off. For Centos/RHEL, the file is /etc/php.ini. This
will remove the X-Powered-By line and PHP version.
Sample output with exposing php version:
[root@linuxcnf
~]# curl -I 192.168.43.106/index.php
HTTP/1.1
200 OK
Date: Fri, 08 Aug 2017 16:15:28 GMT
Server:
Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Type:
text/html; charset=UTF-8
|
Restrict
PHP Information Leakage:
Search expose_php variable in /etc/php.ini file and set it
to off as below:
[root@linuxcnf ~]# vi /etc/php.ini
|
expose_php
= Off
|
Save and close the file and need to restart the httpd web server
using the following command:
#/etc/init.d/httpd
restart
|
Testing the PHP information leakage sample output as
below:
[root@linuxcnf
~]# curl -I 192.168.43.106/index.php
HTTP/1.1
200 OK
Date: Fri, 08 Aug 2017 16:19:07 GMT
Server:
Apache/2.4.6 (CentOS)
Content-Type:
text/html; charset=UTF-8
|
Now the server is not showing PHP installed
information.
No comments:
Post a Comment