remove x-powered-by from php 5.2.3 cgi module

16 years ago by sotiris karavarsamis — view source

unread

i've got a webserver which runs php 5.2.3 via fastcgi, and i've recently
tried to remove the x-powered-by header for security reasons. however,
changing the php.ini expose-php directive value to off made no
difference. After searching a little on google for this problem, it came
out that there is no configuration directive for this, and so i created
a little patch for the cgi sapi module to solve it. you can find the
patch at http://docs.cshell.gr/patches/xpoweredby-cgiphp5.2.3.patch .
hope it helps many people who encounter the same problem. you can also
argue for this at http://www.cshell.gr/?p=113 .

16 years ago by Antony Dovgal — view source

unread

i've got a webserver which runs php 5.2.3 via fastcgi,

The latest stable version is 5.2.6, not 5.2.3.

I can't find any mention of X-Powered in 5.2.6 CGI sources,
but both cases in main/main.c do check expose_php INI setting.

--
Wbr,
Antony Dovgal

16 years ago by crrodriguez@suse.de — view source

unread

sotiris karavarsamis escribió:

i've got a webserver which runs php 5.2.3 via fastcgi, and i've recently
tried to remove the x-powered-by header for security reasons.

I hope you are kidding .. do you still think that "security through
obscurity" has any value ?

--
"A computer is like an Old Testament god, with a lot of rules and no
mercy. "

Cristian Rodríguez R.
Platform/OpenSUSE - Core Services
SUSE LINUX Products GmbH
Research & Development
http://www.opensuse.org/

16 years ago by Lars Strojny — view source

unread

Hi Christian,

Am Montag, den 08.09.2008, 05:29 -0400 schrieb Cristian Rodríguez:
[...]

I hope you are kidding .. do you still think that "security through
obscurity" has any value ?

Doesn't matter. expose_php=Off should definitely disable that header
too. So it is a bug.

cu, Lars

Jabber: lars@strojny.net
Weblog: http://usrportage.de

16 years ago by Lars Strojny — view source

unread

Hi,

Am Montag, den 08.09.2008, 11:44 +0200 schrieb Lars Strojny:

So it is a bug.

Read as: if we can reproduce it in one of our current versions, it is a
bug :)

cu, Lars

Jabber: lars@strojny.net
Weblog: http://usrportage.de

16 years ago by Lars Strojny — view source

unread

Hi Sotiris,

Am Samstag, den 06.09.2008, 15:42 +0300 schrieb sotiris karavarsamis:

i've got a webserver which runs php 5.2.3 via fastcgi, and i've recently
tried to remove the x-powered-by header for security reasons. however,
[...]

Please try the latest 5.2 with expose_php=0. I can't reproduce your bug.

cu, Lars

Jabber: lars@strojny.net
Weblog: http://usrportage.de