Many people are not aware that by default PHP 5 has enabled variable in the php.ini file which allows a third party person to query PHP for a few hard coded variables which displays various infos on PHP.
Some of the infos displayed are:
To see that request in your browser to a PHP powered webserver.
This would reveal you the PHP version number + the PHP authors who took active part in the development of the current PHP release.
That could be even counted as a non-critical security flaw since it reveals PHP version and many companies nowadays prefers that the technology backing up their websites stays private.
Some other hard coded variables that can be requested to a PHP enabled server are:
http://domainname.com/some.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42This will show you that the Apache Server or the questionable Server is configured to server PHP pages.
This simple method could be another security threat if you’re a security freak. It will reveal your Webserver is running PHP with Zend2 Framework extension enabled.
This last one reveals again the PHP logo a bit jagged.
Be aware that this 4 are enabled by default in php.ini on PHP version 5.x.
Therefore from a security standpoint as well as to show off your professionalism you can disable it simply by editing your php.ini and changing the variable expose_php = Off .To do that quickly on Debian running Apache 2.2.x from the command line issue the commands:
debian-server:~# sed -e "s#expose_php = On#expose_php = Off#g" /etc/php5/apache2/php.ini > /etc/php5/apache2/php.ini.1;
debian-server:~# mv /etc/php5/apache2/php.ini.1 /etc/php5/apache2/php.ini
That’s it now the annoying information concerning PHP Credits, PHP Logos, and PHP Zend Framework Logos won’t be exposed any more for pranksters.
Historically speaking in PHP version 4. There were are 3 really funny pictures hard coded into the PHP library. If you’re running PHP and you want to check them out you have to do a request to your server like the one below:
The following funny pictures should appear right away 🙂
Now take some time and test the hidden requests on your PHP powered servers 🙂