On servers running PHP, visit any page, remove the trailing slash, and append any of the following query-strings:
?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
If the vulnerability is present, requests made with these query-strings results in a variety of easter eggs and detailed PHP credits. When these easter eggs are visible, it means that expose_php
is enabled on the server. And when expose_php
is enabled, PHP-generated pages are sent with X-Powered-By
response-headers that give PHP/version infos, such as “X-Powered-By: PHP/5.4.7
”. Knowing the version number of software makes it easier for bad guys to research and exploit known vulnerabilities. So let’s take a moment to “plug the leak” by disabling expose_php
.
Disable expose_php via php.ini
The recommended solution is to set expose_php = Off
Return to Home