[Cialug] Disclosing Apache and PHP version numbers
dave at dchamp.net
Thu Apr 2 09:31:12 CDT 2009
You've pretty much answered your own question. At the SANS PHP security
class I was at this winter, they mentioned that any extra version info
you give out can be used by attackers to help them find vulnerable
servers to attack.
I can't think of a good reason really to leave them on. There may be a
RFC or something that says you're supposed to show it...
Eric Junker wrote:
> Is there any reason not to set:
> ServerSignature Off
> ServerTokens Prod
> to prevent Apache from disclosing version information?
> And also setting expose_php = 'off' to prevent PHP from sending the
> X-Powered-By header.
> Is there any purpose to these headers and why aren't they turned off
> by default? By themselves they do not pose a security risk but it
> could help an attacker to know if you are running a vulnerable version.
> Cialug mailing list
> Cialug at cialug.org
More information about the Cialug