Preventing Version Info Leakage with Dotdeb’s PHP 5.3.2 for Debian

There are plenty of arguments for and against Security Through Obscurity – I’m of the opinion that while the benefit for doing it might be slim, actually implementing it doesn’t cause any problems, so why not?

Moving On! The fastest way to upgrade the PHP version on Debian/Lenny “stable” without running into dependency hell is through the dotdeb repositories. Not only does it allow you to upgrade to PHP 5.3.2, you also get the ability to install PHP-FPM through the Debian package manager, instead of having to re-compile PHP from source.

There is one small problem though – once you upgrade using the Dotdeb repository, all your PHP pages have an “X-Powered-By” header included:

header-versionleak

If you are serving PHP content using Apache/2 alone, fixing this is relatively simple. Enable mod_headers as follows:

Then add the following line to your Virtual Host definition:1

Now reload your Apache configuration and the header information should disappear when you do a full refresh of the page in your browser.

On the other hand, it becomes a little more complicated if you are using Nginx as your public web-server and proxying PHP requests to a backend Apache process. Depending on how your Nginx setup is configured to handle PHP requests, you may need to use one of two approaches:

Approach 1 – Nginx directly serves PHP content by proxying to a PHP/FastCGI server

If you have installed PHP-FPM, you will know that it runs as a service listening for any requests on Port 9000. Hence, you could have Nginx serve PHP content using the following directives:

To hide your PHP version, add the following directive to the Nginx configuration:

Approach 2 – Nginx serves PHP content by proxying to an Apache process:

In this approach, the Nginx configuration for serving PHP content looks very different from Approach 1:

The directive for hiding the version information also changes as Nginx is now acting as reverse-proxy:

Reload your Nginx configuration and check that the changes have taken effect by triggering a full refresh of the page in your browser:

header-noversion


  1. Note: I don’t use Apache as my front-end web server anymore so this isn’t tested by me. That said, it should work  

Comments are closed.