hi list,
i just came back from phpconference in frankfurt and had some nice
talks there with Ilia and Derick. They told me to send my following
thoughts to internals, so that you maybe can find a wise solution for
it.
as security gets more and more recognized by many people, they do
follow all the security-experts suggestions to turn of the exposure
of php to OFF, as otherwise this would help hackers to find
vulnerabilities on their server (i.e. if you are running an old
php-version, which has security-holes).
I was told to do so, too, but actually i have a very good reason to
let it turned on: Netcraft. as far as i can see it, Netcraft is
collecting its numbers from exactly this exposure. Further i think
to remember, that in former times everybody told to turn it on - so
that Netcraft can count the server as php-server and in result the
statistics are doing well for php.
Now have a short look at the statistics, and you will see, that we
had a degree in domains of about 1.3 million domains last month . i
can imagine that a reason for this may be, that a huge provider
turned expose_php to off (but who knows). In any case, this makes
me aware of a problem: a decision between security and php's spread?
my suggestion would be, to simply shorten the string that gets
exposed to "php" - and not show any version numbers (or maybe leave
it to the user, say 0 for "no exposure", 1 for "only php" and 2 for
"php with version number".
what do you think?
best regards,
-Wolfgang
--
PHP-Knotenpunkt Dynamic Web Pages: http://www.dynamicwebpages.de/
Deutschsprachige PHP-Zertifizierungen: http://www.phpzertifizierung.de/
Professionelle Lösungen für dynamisches Webpublishing: http://php-buch.de/
On Thu, 10 Nov 2005 16:13:34 +0100, in php.internals drews@php.net
("Wolfgang Drews") wrote:
my suggestion would be, to simply shorten the string that gets
exposed to "php" - and not show any version numbers (or maybe leave
it to the user, say 0 for "no exposure", 1 for "only php" and 2 for
"php with version number".what do you think?
I suppose attacks could be divided into targeted attacks and wild
attacks.
The last case (as in all different kinds of worms) has shown us that
it is easier to shoot and move on than to determine whether or not a
host is vulnerable (why send a HEAD request just to determine whether
or not your request could would instead of just sending the malicious
GET request at first?).
It could be mentioned that some worms such as the ones targeting phpbb
used google requests to search for specific versions of phpbb. For
phpbb I'm not sure whether omitting the version number would result in
a better security track record though :-)
Those targeting specific web sites might be able to figure out the
approximate version otherwise. The major version of php could be
determined in a couple of other ways, such as checking what animal
(sorry Thies :-) is present, e.g.:
http://www.php.net/cal.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
and otherwise still try any kind of exploit if the version information
is unavailable.
People tend to use the default values or less when there is no change
of function. I don't see who would like to add further information if
"current practice" is just to expose "php" and not any version number.
I don't think it would reduce the number of attacks turning the
version information off. But it would be more cumbersome to help
people with php issues as the php version is not directly available.
Honestly I'm not sure how I would feel on the "expose version number"
issue if e.g. google would allow people to restrict their searches
based on header information as well.
--
- Peter Brodersen
Those targeting specific web sites might be able to figure out the
approximate version otherwise. The major version of php could be
determined in a couple of other ways, such as checking what animal
(sorry Thies :-) is present, e.g.:
http://www.php.net/cal.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
and otherwise still try any kind of exploit if the version information
is unavailable.
That special trick should be disabled when expose_php is set to off; did
you verify that?
I don't think it would reduce the number of attacks turning the
version information off. But it would be more cumbersome to help
people with php issues as the php version is not directly available.
Right, that was my point too.
Derick
--
Derick Rethans
http://derickrethans.nl | http://ez.no | http://xdebug.org