Ubuntu
php5 package

php5-fpm exposes full ubuntu package version in headers

Bug #1002443 reported by Nathan Williams
4
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php5 (Debian)
Fix Released
Unknown
php5 (Ubuntu)
Opinion
Wishlist
Unassigned

Bug Description

Issue: php5-fpm sets a header displaying the full Ubuntu package version

What should happen: At most, the version of PHP should be shown similar to
how Apache version is shown, e.g. PHP/5.3.10

What happens: the full Ubuntu package version is exposed in the X-Powered-By
header

nathan@juttenheim:~$ curl -I localhost:8080
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Mon, 21 May 2012 18:51:17 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10-1ubuntu3.1

nathan@juttenheim:~$ sudo sed -i 's/^expose_php = On/expose_php = Off/g' /etc/php5/fpm/php.ini
nathan@juttenheim:~$ sudo service php5-fpm restart
 * Restarting PHP5 FastCGI Process Manager php5-fpm [ OK ]
nathan@juttenheim:~$ curl -I localhost:8080
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Mon, 21 May 2012 18:51:57 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: php5-fpm 5.3.10-1ubuntu3.1
Uname: Linux 3.0.18-linode43 i686
ApportVersion: 2.0.1-0ubuntu7
Architecture: i386
Date: Mon May 21 11:52:47 2012
InstallationMedia:

ProcEnviron:
 TERM=xterm
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: php5
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.php5.fpm.pool.d.www.conf: [modified]
mtime.conffile..etc.php5.fpm.pool.d.www.conf: 2012-05-02T22:34:44

Revision history for this message
Nathan Williams (nathwill-deactivatedaccount-deactivatedaccount) wrote :
tags: added: php server
Nathan Williams (nathwill-deactivatedaccount-deactivatedaccount)
tags: removed: php server
Revision history for this message
Ondřej Surý (ondrej) wrote :

I think that full version number is important and we will gain no extra security by hiding it by default, just more pain when debugging. You always have an option to disable the headers yourself, if you think it will gain you any extra security.

Bug Watch Updater (bug-watch-updater)
Changed in php5 (Debian):
status: Unknown → Won't Fix
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Security by obscurity doesn't actually work. Hiding the version number will not affect whether your system is secure or not, and it's quite likely that an attacker would simply run his script regardless of the version number displayed on your website.

If this is important in your environment, please use expose_php to disable the banner in your configuration.

Changed in php5 (Ubuntu):
status: New → Opinion
importance: Undecided → Wishlist
Revision history for this message
Benjamin Kerensa (bkerensa) wrote :

@Marc: I tried to explain the security by obscurity flaw ;) and that one should just focus on a hardened install and not so much about exposed version info in their header.

Revision history for this message
Nathan Williams (nathwill-deactivatedaccount-deactivatedaccount) wrote :

@bkerensa, thanks for the constructive contribution to the conversation... i discussed this with a couple folks in #ubuntu-server and one of the Ubuntu php maintainers, and filed this with their feedback.

@all, i'm well aware that security by obscurity is no solution, but as noted by Francois in the linked Debian bug, shipping sane defaults is a reasonable expectation. Advertising the full package version by default just makes it easy for scans to identify vulnerable targets. this is clearly irrelevant in a targeted attack, but it could keep you off a low-hanging-fruit list generated by malicious scanning, which i find to be of value.

So the question should be: what's the value in advertising this information by default? As noted in the bug description, I think php version information similar to the information provided by Apache, Nginx, etc. does make sense to an extent, just not listing the full package name.

I'll agree with Francois in the linked bug, this is ultimately the maintainers decision, and I'll respect the decision, though I think that a pro vs. con analysis comes down clearly on the side of a better default, be that normalized version info or turning expose_php off.

Bug Watch Updater (bug-watch-updater)
Changed in php5 (Debian):
status: Won't Fix → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.