Are you aware of PHP easter eggs? PHP easter eggs are query strings that are added to the end of a PHP site. If you’re not familiar with them then chances are your PHP site is exposing information that could help a determined hacker.
To see if easter eggs are turned on, go to any PHP site and add this to the end of the URL:
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Do you see the PHP credits page? If so, then your PHP site is exposing sensitive information to your visitors. While the page itself does not contain anything harmful, the server is actually broadcasting the PHP version to your visitors in the headers. To see how easy it would be to “hack” your site, inspect the current page and look at the header information. You should see a line that looks similar to this:
X-Powered-By: PHP/5.3.13
A clever visitor could use this information to look up known security exploits associated with the version of PHP you’re running. If you’re running Apache, this too could be alerting your guests of its current version.
As such, it’s good practice to always make sure
expose_php = off
is set in your php.ini file to disable this feature.
If you are using a shared server and don’t have access to php.ini, you can deny access by adding the following line to your .htaccess file:
RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] RewriteRule .* - [F]
Note that in the instance of a shared server, other sites would still be exposing the information, so it’s best to report it to whoever maintains your server.
Questions or comments? Share them below, or tweet us @Pixafy!