Posts Tagged ‘Disable PHP Expose / Disable PHP Credits page showing up with including some.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 variable to a PHP powered WebServer’

Disable PHP Expose / Disable PHP Credits page showing up with including some.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 variable to a PHP powered WebServer

Friday, April 23rd, 2010

Many people are not aware that by default PHP 5 has enabled variable in the php.ini file which allows a third party person to query PHP for a few hard coded variables which displays various infos on PHP.
Some of the infos displayed are:
PHP Credits

To see that request in your browser to a PHP powered webserver.

http://domainname.com/some.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

PHP Credits Reveal

This would reveal you the PHP version number + the PHP authors who took active part in the development of the current PHP release.
That could be even counted as a non-critical security flaw since it reveals PHP version and many companies nowadays prefers that the technology backing up their websites stays private.

Some other hard coded variables that can be requested to a PHP enabled server are:

http://domainname.com/some.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42This will show you that the Apache Server or the questionable Server is configured to server PHP pages.

PHP Logo Reveal

http://domainname.com/some.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42PHP with Zend Reveal

This simple method could be another security threat if you’re a security freak. It will reveal your Webserver is running PHP with Zend2 Framework extension enabled.

http://domainname.com/some.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42Reveal Jagged PHP Logo

This last one reveals again the PHP logo a bit jagged.
Be aware that this 4 are enabled by default in php.ini on PHP version 5.x.
Therefore from a security standpoint as well as to show off your professionalism you can disable it simply by editing your php.ini and changing the variable expose_php = Off .To do that quickly on Debian running Apache 2.2.x from the command line issue the commands:

debian-server:~# sed -e "s#expose_php = On#expose_php = Off#g" /etc/php5/apache2/php.ini > /etc/php5/apache2/php.ini.1;
debian-server:~# mv /etc/php5/apache2/php.ini.1 /etc/php5/apache2/php.ini

That’s it now the annoying information concerning PHP Credits, PHP Logos, and PHP Zend Framework Logos won’t be exposed any more for pranksters.

Historically speaking in PHP version 4. There were are 3 really funny pictures hard coded into the PHP library. If you’re running PHP and you want to check them out you have to do a request to your server like the one below:

http://domainname.com/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

The following funny pictures should appear right away 🙂
php rabbit exposedphp developer dude exposedsome php developed terrier dogsome php developer's black dog, nothing to do with Led Zeppelin

Now take some time and test the hidden requests on your PHP powered servers 🙂