Php Expose Php Enabled
Description
Detects when PHP is configured to expose version information through HTTP headers via the expose_php directive. When enabled, this leaks PHP version details to potential attackers, helping them identify vulnerable versions to target.
Detection Strategy
• Examines PHP configuration files (php.ini) for the expose_php directive setting
• Reports a vulnerability if expose_php is not explicitly set to 'off' or '0'
• Default value of expose_php (when not specified) is considered enabled and triggers a vulnerability
• The vulnerability is reported at the line containing the expose_php directive if found, otherwise at line 0
Vulnerable code example
[PHP]
; PHP Configuration File (php.ini)
; Security settings
; VULNERABLE: Exposes PHP version in HTTP headers, helping attackers fingerprint the server
expose_php = On
✅ Secure code example
# PHP Configuration File (php.ini)
# Security settings
# Disable PHP version disclosure in HTTP headers to prevent fingerprinting
expose_php = OffSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.