Friday 8 September 2017

How to Restrict PHP Information Leakage



By Default PHP installation exposes to the world that PHP is installed on the server. Need to modify the php.ini and set the expose_php variable to Off. For Centos/RHEL, the file is /etc/php.ini. This will remove the X-Powered-By line and PHP version.


Sample output with exposing php version:

[root@linuxcnf ~]# curl -I 192.168.43.106/index.php
HTTP/1.1 200 OK
Date: Fri, 08 Aug 2017 16:15:28 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Type: text/html; charset=UTF-8

Restrict PHP Information Leakage:
Search expose_php variable in /etc/php.ini file and set it to off as below:

[root@linuxcnf ~]# vi /etc/php.ini

expose_php = Off

Save and close the file and need to restart the httpd web server using the following command:

#/etc/init.d/httpd restart

Testing the PHP information leakage sample output as below:

[root@linuxcnf ~]# curl -I 192.168.43.106/index.php
HTTP/1.1 200 OK
Date: Fri, 08 Aug 2017 16:19:07 GMT
Server: Apache/2.4.6 (CentOS)
Content-Type: text/html; charset=UTF-8


Now the server is not showing PHP installed information.

No comments:

Post a Comment