Hướng dẫn expose_php = off wordpress
Show What it is..Here’s the scoop according to the Open Source Vulnerability DataBase:
Couldn’t have said it better myself. Basically if you’re running PHP it may be possible for someone to discover the PHP-version and other sensitive information. Also referred to as a type of “fingerprinting” attack. It’s not “threat level midnight” or anything like that, but certainly worth a few moments to lock it down: another layer of protection to increase the security of your website(s). How it works..On servers running PHP, visit any page, remove the trailing slash, and append any of the following query-strings:
If the vulnerability is present, requests made with these query-strings results in a variety of easter eggs and detailed PHP credits (see screenshots). When these easter eggs are visible, it means that Disable expose_php via php.iniIf you have access to (and can edit) your server’s ..we send this: Note that in addition to PHP sending its info via the
This simply uses the ServerTokens directive to disable the version number. The ServerSignature directive disables the version info on server-generated pages, which is an added bonus. Prevent access via .htaccessIf you don’t have access to
Just place that code in your site’s root .htaccess file and you’re good to go (no editing required). How does it work? In the first line we’re matching our regular expression against query-string requests (via “ Here’s a comparison to help visualize the pattern: String: The line terminates with a “no-case” All together thenCombining our two Apache techniques, we get an equivalent to disabling 1) Add to Apache’s main configuration file (httpd.conf):
1) Add to Apache httpd.conf or .htaccess:
By combining our two methods we deny access to PHP credits/info and disable broadcasting of the Apache version. That’s effective, but unfortunately there’s no way to prevent Note also that Apache’s PHP easter eggsWhen something is intentionally hidden within a book, app, or whatever, it’s referred to as an “easter egg”. PHP has at least four of them:
So what’s the deal?This is all fine and interesting, but is it worth it? It’s been reported that cPanel requires the PHP version info, so some hosts may leave Shouts outThank you to Warner Nanninga for bringing this to my attention and helping with further information. Cheers! About the Author Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being. |