Thread: [mod-security-users] Disable php_flag version?
Brought to you by:
victorhora,
zimmerletw
From: Mike Y. <li...@32...> - 2009-02-27 12:21:12
|
Is there any way I can change ( or disable ) what PHP version is returned when someone does a scan of my server? -- Mike B^)> |
From: Ryan B. <Rya...@br...> - 2009-02-27 13:36:02
|
-----Original Message----- From: Mike Yrabedra [mailto:li...@32...] Sent: Friday, February 27, 2009 6:13 AM To: modsec-users Subject: [mod-security-users] Disable php_flag version? Is there any way I can change ( or disable ) what PHP version is returned when someone does a scan of my server? [Ryan Barnett] The problem is that are so many ways that application version information data may leak out. Check out some of the comments here - http://www.php.net/manual/en/security.hiding.php. You might want something like "expose_php=Off" in your php.ini file. ModSecurity can help to hid the php module info in the Server response header if you set the SecServerSignature directive. |
From: Mike Y. <li...@32...> - 2009-02-27 14:11:15
|
Thanks Ryan, that may do what I need. Trying to hide it from Mcaffee-Scanalert. on 2/27/09 8:35 AM, Ryan Barnett at Rya...@br... wrote: > -----Original Message----- > From: Mike Yrabedra [mailto:li...@32...] > Sent: Friday, February 27, 2009 6:13 AM > To: modsec-users > Subject: [mod-security-users] Disable php_flag version? > > > > Is there any way I can change ( or disable ) what PHP version is returned > when someone does a scan of my server? > > [Ryan Barnett] The problem is that are so many ways that application version > information data may leak out. Check out some of the comments here - > http://www.php.net/manual/en/security.hiding.php. You might want something > like "expose_php=Off" in your php.ini file. ModSecurity can help to hid the > php module info in the Server response header if you set the > SecServerSignature directive. > > > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA > -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise > -Strategies to boost innovation and cut costs with open source participation > -Receive a $600 discount off the registration fee with the source code: SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html -- Mike B^)> |
From: yersinia <yer...@gm...> - 2009-02-27 13:54:11
|
On Fri, Feb 27, 2009 at 2:35 PM, Ryan Barnett <Rya...@br...>wrote: > -----Original Message----- > From: Mike Yrabedra [mailto:li...@32...] > Sent: Friday, February 27, 2009 6:13 AM > To: modsec-users > Subject: [mod-security-users] Disable php_flag version? > > > > Is there any way I can change ( or disable ) what PHP version is returned > when someone does a scan of my server? > > [Ryan Barnett] The problem is that are so many ways that application > version information data may leak out. Check out some of the comments here > - http://www.php.net/manual/en/security.hiding.php. You might want > something like "expose_php=Off" in your php.ini file. ModSecurity can help > to hid the php module info in the Server response header if you set the > SecServerSignature directive. > > But not in reverse proxy mode with mod_proxy. You have to use mod_header. Regards Elia |
From: Ryan B. <Rya...@br...> - 2009-02-27 14:05:24
|
From: pin...@gm... [mailto:pin...@gm...] On Behalf Of yersinia Sent: Friday, February 27, 2009 8:54 AM To: Ryan Barnett Cc: Mike Yrabedra; modsec-users Subject: Re: [mod-security-users] Disable php_flag version? On Fri, Feb 27, 2009 at 2:35 PM, Ryan Barnett <Rya...@br...<mailto:Rya...@br...>> wrote: -----Original Message----- From: Mike Yrabedra [mailto:li...@32...<mailto:li...@32...>] Sent: Friday, February 27, 2009 6:13 AM To: modsec-users Subject: [mod-security-users] Disable php_flag version? Is there any way I can change ( or disable ) what PHP version is returned when someone does a scan of my server? [Ryan Barnett] The problem is that are so many ways that application version information data may leak out. Check out some of the comments here - http://www.php.net/manual/en/security.hiding.php. You might want something like "expose_php=Off" in your php.ini file. ModSecurity can help to hid the php module info in the Server response header if you set the SecServerSignature directive. But not in reverse proxy mode with mod_proxy. You have to use mod_header. [Ryan Barnett] True, you would have to use something like this - Header always set Server "Whatever-Name-You-Want" |
From: yersinia <yer...@gm...> - 2009-03-02 08:06:11
|
On Fri, Feb 27, 2009 at 3:05 PM, Ryan Barnett <Rya...@br...>wrote: > > > *From:* pin...@gm... [mailto:pin...@gm...] *On Behalf Of * > yersinia > *Sent:* Friday, February 27, 2009 8:54 AM > *To:* Ryan Barnett > *Cc:* Mike Yrabedra; modsec-users > *Subject:* Re: [mod-security-users] Disable php_flag version? > > > > On Fri, Feb 27, 2009 at 2:35 PM, Ryan Barnett <Rya...@br...> > wrote: > > -----Original Message----- > From: Mike Yrabedra [mailto:li...@32...] > Sent: Friday, February 27, 2009 6:13 AM > To: modsec-users > Subject: [mod-security-users] Disable php_flag version? > > > > Is there any way I can change ( or disable ) what PHP version is returned > when someone does a scan of my server? > > [Ryan Barnett] The problem is that are so many ways that application > version information data may leak out. Check out some of the comments here > - http://www.php.net/manual/en/security.hiding.php. You might want > something like "expose_php=Off" in your php.ini file. ModSecurity can help > to hid the php module info in the Server response header if you set the > SecServerSignature directive. > > > > > But not in reverse proxy mode with mod_proxy. You have to use mod_header. > > *[Ryan Barnett] True, you would have to use something like this –* > > * * > > *Header always set Server “Whatever-Name-You-Want”* > > > I prefer not to put a random name server, either with mod_header that mod_security, but rather a servername that exists in the nmap's content db. In this way you can fool nmap application fingerprint. Regards > > > |