On Thu, 10 Nov 2005, Peter Brodersen wrote:

> Those targeting specific web sites might be able to figure out the
> approximate version otherwise. The major version of php could be
> determined in a couple of other ways, such as checking what animal
> (sorry Thies :-) is present, e.g.:
> http://www.php.net/cal.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
> and otherwise still try any kind of exploit if the version information
> is unavailable.

That special trick should be disabled when expose_php is set to off; did 
you verify that?

> I don't think it would reduce the number of attacks turning the
> version information off. But it would be more cumbersome to help
> people with php issues as the php version is not directly available.

Right, that was my point too.

Derick

-- 
Derick Rethans
http://derickrethans.nl | http://ez.no | http://xdebug.org

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to