On Thu, 10 Nov 2005, Peter Brodersen wrote: > Those targeting specific web sites might be able to figure out the > approximate version otherwise. The major version of php could be > determined in a couple of other ways, such as checking what animal > (sorry Thies :-) is present, e.g.: > http://www.php.net/cal.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 > and otherwise still try any kind of exploit if the version information > is unavailable.
That special trick should be disabled when expose_php is set to off; did you verify that? > I don't think it would reduce the number of attacks turning the > version information off. But it would be more cumbersome to help > people with php issues as the php version is not directly available. Right, that was my point too. Derick -- Derick Rethans http://derickrethans.nl | http://ez.no | http://xdebug.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php