Site icon Leonid Mamchenkov

PHP exposure via easter egg

Here is an interesting easter egg in PHP.  Check if your php.ini file has expose_php setting turned on like so:

; Decides whether PHP may expose the fact that it is installed
; on the server (e.g. by adding its signature to the Web
; server header). It is no security threat in any way, but it
; makes it possible to determine whether you use PHP on your
; server or not.
; http://www.php.net/manual/en/ini.core.php#ini.expose-php
expose_php = On

If it’s on, then you can see PHP Credits page, which includes PHP authors and contributors, as well as authors and contributors to the PHP modules that you have installed. To see the page add the secret parameter to any of the PHP pages on your server, like so: http://localhost/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000. You’ll see a long page that starts like so:

Kudos to Chris for pointing it out to me.  I’ve since disabled the setting on my server.

Exit mobile version