Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Ilia Alshanetsky
Andi Gutmans wrote: > I personally think it can hurt the PHP project to have expose_php turned > off by default. A lot of PHP's push has been thanks to the Netcraft > numbers. I think a PHP worm would do far more harm, but then again I am not an marketing expert :-). IMHO the push behind PHP is du

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Ilia Alshanetsky
Jasper Bryant-Greene wrote: > If someone asks me a PHP question on a newsgroup or forum, and I need to > know their version, I ask them for it. If they don't know how, I tell > them to run php -V Too true, in most cases you'd actually want to see their phpinfo() page, since settings can often expl

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Jani Taskinen
Leave it alone. I vote we just drop this discussion. :) We have lot of more important things to talk about than about something like this.. --Jani On Thu, 10 Nov 2005, Wez Furlong wrote: Turning off expose_php is just security by obscurity; a determined hacker can still probe

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Wez Furlong
Turning off expose_php is just security by obscurity; a determined hacker can still probe for problems even if that setting is turned off. My vote is to leave it as-is; leave it to the administrator to decide if they want to turn it off. --Wez. On 11/10/05, Marcus Boerger <[EMAIL PROTECTED]> wro

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Jasper Bryant-Greene
Marcus Boerger wrote: agreed, also we are doing very much work on security. Thus new and regular updated systems shouldn#t have a problem with exposing this. And we cannot do anything for unmaintained systems anyway. Therefore i think we or any user should not be ashamed or fear having php bein

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Marcus Boerger
Hello Andi, agreed, also we are doing very much work on security. Thus new and regular updated systems shouldn#t have a problem with exposing this. And we cannot do anything for unmaintained systems anyway. Therefore i think we or any user should not be ashamed or fear having php being exposed.

RE: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Andi Gutmans
I personally think it can hurt the PHP project to have expose_php turned off by default. A lot of PHP's push has been thanks to the Netcraft numbers. Andi At 10:56 AM 11/10/2005, Wolfgang Drews wrote: > > I don't think it would reduce the number of attacks turning the > > version information

RE: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Wolfgang Drews
Bryant-Greene [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 10, 2005 9:36 PM > To: Peter Brodersen > Cc: [EMAIL PROTECTED]; Wolfgang Drews; 'Derick Rethans'; > internals@lists.php.net > Subject: Re: [PHP-DEV] Re: Expose php: on or off > > Peter Brodersen wrot

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Jasper Bryant-Greene
Peter Brodersen wrote: On Thu, 10 Nov 2005 14:08:29 -0500, in php.internals [EMAIL PROTECTED] (Ilia Alshanetsky) wrote: I don't think it would reduce the number of attacks turning the version information off. But it would be more cumbersome to help people with php issues as the php version is n

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Peter Brodersen
On Thu, 10 Nov 2005 14:08:29 -0500, in php.internals [EMAIL PROTECTED] (Ilia Alshanetsky) wrote: >> I don't think it would reduce the number of attacks turning the >> version information off. But it would be more cumbersome to help >> people with php issues as the php version is not directly avail

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Ilia Alshanetsky
Markus Fischer wrote: > Wolfgang Drews wrote: > I don't think it would reduce the number of attacks turning the version information off. But it would be more cumbersome to help people with php issues as the php version is not directly available. >>> >>> >>> Right, that was my point

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Markus Fischer
Wolfgang Drews wrote: I don't think it would reduce the number of attacks turning the version information off. But it would be more cumbersome to help people with php issues as the php version is not directly available. Right, that was my point too. yes, but in the end it is more a problem

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Ilia Alshanetsky
The expose_php setting is an option, something each admin can make their own mind upon. Some will prefer not to waste bandwidth and tell the world what they are running, while others prefer to advertise PHP. Either approach is fine, but from security perspective you want to tell a potential attacke

RE: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Wolfgang Drews
> > I don't think it would reduce the number of attacks turning the > > version information off. But it would be more cumbersome to help > > people with php issues as the php version is not directly available. > > Right, that was my point too. yes, but in the end it is more a problem of user-pe

Re: [PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Derick Rethans
On Thu, 10 Nov 2005, Peter Brodersen wrote: > Those targeting specific web sites might be able to figure out the > approximate version otherwise. The major version of php could be > determined in a couple of other ways, such as checking what animal > (sorry Thies :-) is present, e.g.: > http://www

[PHP-DEV] Re: Expose php: on or off

2005-11-10 Thread Peter Brodersen
On Thu, 10 Nov 2005 16:13:34 +0100, in php.internals [EMAIL PROTECTED] ("Wolfgang Drews") wrote: >my suggestion would be, to simply shorten the string that gets >exposed to "php" - and not show any version numbers (or maybe leave >it to the user, say 0 for "no exposure", 1 for "only php" and 2 for