PHP expose_php Information Disclosure

This script is Copyright (C) 2010-2012 Tenable Network Security, Inc.


Synopsis :

The configuration of PHP on the remote host allows disclosure of
sensitive information.

Description :

The PHP install on the remote server is configured in a way that
allows disclosure of potentially sensitive information to an attacker
through a special URL. Such a URL triggers an Easter egg built into
PHP itself.

Other such Easter eggs likely exist, but Nessus has not checked for
them.

See also :

http://www.0php.com/php_easter_egg.php
http://seclists.org/webappsec/2004/q4/324

Solution :

In the PHP configuration file, php.ini, set the value for
'expose_php' to 'Off' to disable this behavior. Restart the web
server daemon to put this change into effect.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: Web Servers

Nessus Plugin ID: 46803 ()

Bugtraq ID:

CVE ID: