On Thu, 10 Nov 2005 16:13:34 +0100, in php.internals [EMAIL PROTECTED]
("Wolfgang Drews") wrote:>my suggestion would be, to simply shorten the string that gets >exposed to "php" - and not show any version numbers (or maybe leave >it to the user, say 0 for "no exposure", 1 for "only php" and 2 for >"php with version number". > >what do you think? I suppose attacks could be divided into targeted attacks and wild attacks. The last case (as in all different kinds of worms) has shown us that it is easier to shoot and move on than to determine whether or not a host is vulnerable (why send a HEAD request just to determine whether or not your request could would instead of just sending the malicious GET request at first?). It could be mentioned that some worms such as the ones targeting phpbb used google requests to search for specific versions of phpbb. For phpbb I'm not sure whether omitting the version number would result in a better security track record though :-) Those targeting specific web sites might be able to figure out the approximate version otherwise. The major version of php could be determined in a couple of other ways, such as checking what animal (sorry Thies :-) is present, e.g.: http://www.php.net/cal.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 and otherwise still try any kind of exploit if the version information is unavailable. People tend to use the default values or less when there is no change of function. I don't see who would like to add further information if "current practice" is just to expose "php" and not any version number. I don't think it would reduce the number of attacks turning the version information off. But it would be more cumbersome to help people with php issues as the php version is not directly available. Honestly I'm not sure how I would feel on the "expose version number" issue if e.g. google would allow people to restrict their searches based on header information as well. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
