Preventing Version Info Leakage with Dotdeb’s PHP 5.3.2 for Debian

There are plenty of arguments for and against Security Through Obscurity – I’m of the opinion that while the benefit for doing it might be slim, actually implementing it doesn’t cause any problems, so why not?

Moving On! The fastest way to upgrade the PHP version on Debian/Lenny “stable” without running into dependency hell is through the dotdeb repositories. Not only does it allow you to upgrade to PHP 5.3.2, you also get the ability to install PHP-FPM through the Debian package manager, instead of having to re-compile PHP from source.

There is one small problem though – once you upgrade using the Dotdeb repository, all your PHP pages have an “X-Powered-By” header included:

header-versionleak

If you are serving PHP content using Apache/2 alone, fixing this is relatively simple. Enable mod_headers as follows:

a2enmod headers

Then add the following line to your Virtual Host definition:1

RequestHeader unset X-Powered-By

Now reload your Apache configuration and the header information should disappear when you do a full refresh of the page in your browser.

On the other hand, it becomes a little more complicated if you are using Nginx as your public web-server and proxying PHP requests to a backend Apache process. Depending on how your Nginx setup is configured to handle PHP requests, you may need to use one of two approaches:

Approach 1 – Nginx directly serves PHP content by proxying to a PHP/FastCGI server

If you have installed PHP-FPM, you will know that it runs as a service listening for any requests on Port 9000. Hence, you could have Nginx serve PHP content using the following directives:

location ~* ^.*\.php$ {
fastcgi_pass   localhost:9000;
fastcgi_param  SCRIPT_FILENAME  /var/www/mywebsite/$fastcgi_script_name;}

To hide your PHP version, add the following directive to the Nginx configuration:

#Prevent version info leakage
fastcgi_hide_header X-Powered-By;

Approach 2 – Nginx serves PHP content by proxying to an Apache process:

In this approach, the Nginx configuration for serving PHP content looks very different from Approach 1:

location ~* ^.*\.php$ {
proxy_pass http://127.0.0.1:80;
}

The directive for hiding the version information also changes as Nginx is now acting as reverse-proxy:

#Prevent version info leakage
proxy_hide_header X-Powered-By;

Reload your Nginx configuration and check that the changes have taken effect by triggering a full refresh of the page in your browser:

header-noversion

  1. Note: I don’t use Apache as my front-end web server anymore so this isn’t tested by me. That said, it should work []

This entry was posted on Saturday, July 24th, 2010 at 4:50 pm and is filed under Geek. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

1 Comment so far

  1. on January 24, 2011 at 3:10 am Emanuele Cipolla wrote:

    A more universal approach would be setting

    expose_php = ‘off’

    in php.ini (or through php_flag in httpd.conf/.htaccess for that matter)

Have your say

Note: This post is over a year and a half old. You may want to check later in this blog to see if there is new information relevant to your comment.

Fields in bold are required. Email addresses are never published or distributed.

Some HTML code is allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
URIs must be fully qualified (eg: http://www.domainname.com) and all tags must be properly closed.

Line breaks and paragraphs are automatically converted.

Please keep comments relevant. Off-topic, offensive or inappropriate comments may be edited or removed.

  1. Categories


  2. Search Website

    Possibly Related Posts