Hide PHP X-Powered-By and Apache Server versions

The simple but deadly security tip that even some information security professionals overlook. By default on most Linux servers, the PHP X-Powered-By and Apache Server version are sent as HTTP response header to all requests. This means that anyone is free to view the information.

Security issues

The problem with that is attackers can see which versions of software a server is using and check for known vulnerabilities in those specific versions. An attacker doesn't have to risk testing random vulnerabilities because the X-Powered-By and Server headers tells them which exploits will probably work or not.

Checking the server's response HTTP headers is one of the first ports of call for a hacker or pentester targeting a given website or server because the pentester can do this as they browse the target website and appear as an innocent visitor, ensuring that no unwanted attention is drawn to them in the server's log files. This information can be used to get a feel for the targets overall security. For example if lots of useful information is exposed here, the pentester can make an informed guess that there's likely to be other security issues on the website or server.

The second problem is that there are scripts which automatically crawl the Internet reading this information and reporting back about possible security holes.

The easiest way to view the headers of the current website is to use the Firebug extension of the Firefox web browser. Just click on the Net tab and refresh the page, the server's response headers will be listed.

PHP

The PHP version comes in the form of an X-Powered-By header which discloses the full PHP version, which looks like:

Code X-Powered-By    PHP/5.2.17

Apache

The Apache version's header is called Server. Unlike the X-Powered-By header, the Server header often discloses a long list of sensitive information including SSL versions and Operating System details. The example below discloses the OS (RedHat) and other useful information.

Code Server    Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1

It's not necessary to entirely hide the Apache version, it can be configured to show simply Apache/2 which is OK because knowing it's Apache version 2 is too generic to be of any use to any hackers.

Thankfully PHP and Apache make it very easy to configure the services to hide this sensitive information.

Hide the X-Powered-By header

This can easily be done by finding the expose_php setting in the server's php.ini configuration file and setting its value to Off.

Code ; X-Powered-By header (in php.ini)
expose_php = Off

Configure the Server header to display only basic information such as Apache/2

The example below is for the Apache server's httpd.conf configuration file. The ServerSignature setting will ensure that Apache doesn't disclose information when showing 404 or 500 error pages.

Code ServerTokens Prod
ServerSignature Off

I won't name names for obvious reasons but, a Google search for "information security" will reveal IT security companies which have overlooked this.

Comments

There are 1 responses. Why not add a comment? No registration required.

  • Tone 3rd Feb 2012, 09:37 PM

    Thanks for this. Clear, simple and correct!

Leave a Comment

Enter Code

Refresh code

Menu

Firefox Addons