Electronics & Programming

develissimo

Open Source electronics development and programming

  • You are not logged in.
  • Root
  • » PHP
  • » [PHP-DEV] Re: Expose php: on or off [RSS Feed]

#1 Nov. 10, 2005 16:08:47

Peter B.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Re: Expose php: on or off


On Thu, 10 Nov 2005 16:13:34 +0100, in php.internals
("Wolfgang Drews") wrote:

>my suggestion would be, to simply shorten the string that gets
>exposed to "php" - and not show any version numbers (or maybe leave
>it to the user, say 0 for "no exposure", 1 for "only php" and 2 for
>"php with version number".
>
>what do you think?

I suppose attacks could be divided into targeted attacks and wild
attacks.

The last case (as in all different kinds of worms) has shown us that
it is easier to shoot and move on than to determine whether or not a
host is vulnerable (why send a HEAD request just to determine whether
or not your request could would instead of just sending the malicious
GET request at first?).

It could be mentioned that some worms such as the ones targeting phpbb
used google requests to search for specific versions of phpbb. For
phpbb I'm not sure whether omitting the version number would result in
a better security track record though :-)

Those targeting specific web sites might be able to figure out the
approximate version otherwise. The major version of php could be
determined in a couple of other ways, such as checking what animal
(sorry Thies :-) is present, e.g.:http://www.php.net/cal.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42and otherwise still try any kind of exploit if the version information
is unavailable.

People tend to use the default values or less when there is no change
of function. I don't see who would like to add further information if
"current practice" is just to expose "php" and not any version number.

I don't think it would reduce the number of attacks turning the
version information off. But it would be more cumbersome to help
people with php issues as the php version is not directly available.

Honestly I'm not sure how I would feel on the "expose version number"
issue if e.g. google would allow people to restrict their searches
based on header information as well.

--
- Peter Brodersen

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

#2 Nov. 10, 2005 18:35:49

Derick R.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Re: Expose php: on or off


On Thu, 10 Nov 2005, Peter Brodersen wrote:

> Those targeting specific web sites might be able to figure out the
> approximate version otherwise. The major version of php could be
> determined in a couple of other ways, such as checking what animal
> (sorry Thies :-) is present, e.g.:
>http://www.php.net/cal.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42> and otherwise still try any kind of exploit if the version information
> is unavailable.

That special trick should be disabled when expose_php is set to off; did
you verify that?

> I don't think it would reduce the number of attacks turning the
> version information off. But it would be more cumbersome to help
> people with php issues as the php version is not directly available.

Right, that was my point too.

Derick

--
Derick Rethanshttp://derickrethans.nl|http://ez.no|http://xdebug.org--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

#3 Nov. 10, 2005 18:57:05

Wolfgang D.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Re: Expose php: on or off


> > I don't think it would reduce the number of attacks turning the
> > version information off. But it would be more cumbersome to help
> > people with php issues as the php version is not directly available.
>
> Right, that was my point too.

yes, but in the end it is more a problem of user-perception. "hej, if
security-experts say it is more secure, then ofcourse i will turn it
off - after all i don't care for netcraft-stats" (and don't know about
it either).

finally, if people turn it off because of security-reasons, one should
consider a compromise between "security" and "statistics" ... or not?

best regards

-Wolfgang

--
PHP-Centralpoint Dynamic Web Pages:http://www.dynamicwebpages.de/German PHP-Certification:http://www.phpzertifizierung.de/--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

#4 Nov. 10, 2005 19:09:15

Ilia A.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Re: Expose php: on or off


The expose_php setting is an option, something each admin can make their
own mind upon. Some will prefer not to waste bandwidth and tell the
world what they are running, while others prefer to advertise PHP.
Either approach is fine, but from security perspective you want to tell
a potential attacker as little information as possible.

> I don't think it would reduce the number of attacks turning the
> version information off. But it would be more cumbersome to help
> people with php issues as the php version is not directly available.

This is simply not true, when a bug comes in we ask the user to specify
the version, we don't go looking for their server and checking their
version. Old versions of PHP have security holes, a directed attack
against only the vulnerable servers would be much harder to spot and
take far fewer resources to execute.

Ilia

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

#5 Nov. 10, 2005 19:13:38

Markus F.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Re: Expose php: on or off


Wolfgang Drews wrote:I don't think it would reduce the number of attacks turning theversion information off. But it would be more cumbersome to helppeople with php issues as the php version is not directly available.Right, that was my point too.yes, but in the end it is more a problem of user-perception. "hej, if
security-experts say it is more secure, then ofcourse i will turn it
off - after all i don't care for netcraft-stats" (and don't know aboutit either).finally, if people turn it off because of security-reasons, one should
consider a compromise between "security" and "statistics" ... or not?I don't understand any of positions that it changes anything aboutsecurity when turning it off. This is the number one "security byobscurity" example and is more worse than anything: it gives the usersthe wrong feeling they made a step in securing their vulnerable service.There are not many reasons why a check for a PHP version should be done.The probably most interesting one is the minor version when the attackcan be carried to multiple versions with different offset for stacksmashing or whatever the current best practice is.But as soon as the guys find out that people are turning it off (and I'msure they found out already) they don't care about the version anywayand just go ahread and try brute force.All in all it's a complete false perception of security.

- Markus

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

#6 Nov. 10, 2005 19:22:04

Ilia A.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Re: Expose php: on or off


Markus Fischer wrote:
> Wolfgang Drews wrote:
>
>>>> I don't think it would reduce the number of attacks turning the
>>>> version information off. But it would be more cumbersome to help
>>>> people with php issues as the php version is not directly available.
>>>
>>>
>>> Right, that was my point too.
>>
>>
>>
>> yes, but in the end it is more a problem of user-perception. "hej, if
>> security-experts say it is more secure, then ofcourse i will turn it
>> off - after all i don't care for netcraft-stats" (and don't know about
>> it either).
>> finally, if people turn it off because of security-reasons, one should
>> consider a compromise between "security" and "statistics" ... or not?
>
>
> I don't understand any of positions that it changes anything about
> security when turning it off. This is the number one "security by
> obscurity" example and is more worse than anything: it gives the users
> the wrong feeling they made a step in securing their vulnerable service.

Displaying this value does NOTHING, browser does not care if it is
there, neither does any proxy. So, why send it?

As far as security goes, if you want to provide a map to hackable
servers that's up to you, I personally would rather avoid it.

> But as soon as the guys find out that people are turning it off (and I'm
> sure they found out already) they don't care about the version anyway
> and just go ahread and try brute force.

Sure, and that means by hitting more servers their attack gets noticed
and blocked sooner. And it also gives further incentive for people to
upgrade before they are "hit" because they'll know someone is actively
going after their old version.

Ilia

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

#7 Nov. 10, 2005 19:53:11

Peter B.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Re: Expose php: on or off


On Thu, 10 Nov 2005 14:08:29 -0500, in php.internals
(Ilia Alshanetsky) wrote:

>> I don't think it would reduce the number of attacks turning the
>> version information off. But it would be more cumbersome to help
>> people with php issues as the php version is not directly available.
>This is simply not true, when a bug comes in we ask the user to specify
>the version, we don't go looking for their server and checking their
>version.

I wasn't thinking of php development but more general when people have
trouble with their PHP code (posting in newsgroups, forums, irc, ...).

.. and from another post:

>Displaying this value does NOTHING, browser does not care if it is
>there, neither does any proxy. So, why send it?

The information could help users helping each other. Furthermore the
information could give a hint on the progress of migrating to newer
versions of php for the rest of the world. I think this information
could be pretty valuable for the php community, though I don't think
this information has been used that much so far.


Furthermore, this discussion has been taken for a bunch of different
projects. Apache, mod_ssl, mod_perl and so on. I can't recall they
seriously would encourage people to disable version information so
much that they would change their default settings to reflect this.

I would agree with Markus. This is security by obscurity. The
automated attacks do happen anyway.

--
- Peter Brodersen

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

#8 Nov. 10, 2005 20:37:11

Jasper B.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Re: Expose php: on or off


Peter Brodersen wrote:On Thu, 10 Nov 2005 14:08:29 -0500, in php.internals
(Ilia Alshanetsky) wrote:I don't think it would reduce the number of attacks turning the
version information off. But it would be more cumbersome to help
people with php issues as the php version is not directly available.This is simply not true, when a bug comes in we ask the user to specify
the version, we don't go looking for their server and checking their
version.I wasn't thinking of php development but more general when people have
trouble with their PHP code (posting in newsgroups, forums, irc, ...).If someone asks me a PHP question on a newsgroup or forum, and I need toknow their version, I ask them for it. If they don't know how, I tellthem to run php -VThis information would be completely useless in the newsgroup/forum usecase because it's just as easy (if not easier) to ask them for it or getthem to run PHP -V as it is to go hunt down their server and inspect theheaders.Jasper

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

#9 Nov. 10, 2005 22:11:27

Wolfgang D.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Re: Expose php: on or off


sorry list,

this discussion is going into a totally wrong direction. To make my
point clear once again:

>> it's all just a question of user-perception! <<

there is definitely NO NEED to discuss any security-items in this place
- instead i wanted to make the right people think about changing the behavior
of expose_php, while they are sitting together in paris and talk about the
future of php. And this only, as maybe netcraft-numbers tell us, to at
least take such a change into consideration. That's really all, so please
stop discussing wether it may or may not be useful or more secure to
activate expose_php or not. that is (in my eyes) REALLY not the question.
if security experts have influence on people, that hence turn expose_php
off and hence netcraft numbers for php go down, i can only say "Houston,
we have a problem" and we should do something about it.


thanks anyway for your input, i hope you understand my point of view,

best regards

-Wolfgang

--
PHP-Centralpoint Dynamic Web Pages:http://www.dynamicwebpages.de/German PHP-Certification:http://www.phpzertifizierung.de/> -----Original Message-----
> From: Jasper Bryant-Greene
> Sent: Thursday, November 10, 2005 9:36 PM
> To: Peter Brodersen
> Cc: ; Wolfgang Drews; 'Derick Rethans';
> intern***@*ists.php.net
> Subject: Re: Re: Expose php: on or off
>
> Peter Brodersen wrote:
> > On Thu, 10 Nov 2005 14:08:29 -0500, in php.internals
>
> > (Ilia Alshanetsky) wrote:
> >
> >>>I don't think it would reduce the number of attacks turning the
> >>>version information off. But it would be more cumbersome to help
> >>>people with php issues as the php version is not directly
> available.
> >>
> >>This is simply not true, when a bug comes in we ask the user to
> >>specify the version, we don't go looking for their server
> and checking
> >>their version.
> >
> > I wasn't thinking of php development but more general when
> people have
> > trouble with their PHP code (posting in newsgroups, forums,
> irc, ...).
>
> If someone asks me a PHP question on a newsgroup or forum,
> and I need to know their version, I ask them for it. If they
> don't know how, I tell them to run php -V
>
> This information would be completely useless in the
> newsgroup/forum use case because it's just as easy (if not
> easier) to ask them for it or get them to run PHP -V as it is
> to go hunt down their server and inspect the headers.
>
> Jasper
>
> --
> PHP Internals - PHP Runtime Development Mailing List To
> unsubscribe, visit:http://www.php.net/unsub.php>

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

#10 Nov. 10, 2005 23:17:07

Andi G.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Re: Expose php: on or off


I personally think it can hurt the PHP project to have expose_phpturned off by default. A lot of PHP's push has been thanks to theNetcraft numbers.Andi

At 10:56 AM 11/10/2005, Wolfgang Drews wrote:> > I don't think it would reduce the number of attacks turning the
> > version information off. But it would be more cumbersome to help
> > people with php issues as the php version is not directly available.
>
> Right, that was my point too.

yes, but in the end it is more a problem of user-perception. "hej, if
security-experts say it is more secure, then ofcourse i will turn it
off - after all i don't care for netcraft-stats" (and don't know about
it either).

finally, if people turn it off because of security-reasons, one should
consider a compromise between "security" and "statistics" ... or not?

best regards

-Wolfgang

--
PHP-Centralpoint Dynamic Web Pages:http://www.dynamicwebpages.de/German PHP-Certification:http://www.phpzertifizierung.de/--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

  • Root
  • » PHP
  • » [PHP-DEV] Re: Expose php: on or off [RSS Feed]

Board footer

Moderator control

Enjoy the 18th of November
PoweredBy

The Forums are managed by develissimo stuff members, if you find any issues or misplaced content please help us to fix it. Thank you! Tell us via Contact Options
Leave a Message
Welcome to Develissimo Live Support