PHP expose_php Information Disclosure

Medium Nessus Plugin ID 46803


The configuration of PHP on the remote host allows disclosure of sensitive information.


The PHP install on the remote server is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. Such a URL triggers an Easter egg built into PHP itself.

Other such Easter eggs likely exist, but Nessus has not checked for them.


In the PHP configuration file, php.ini, set the value for 'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect.

See Also

Plugin Details

Severity: Medium

ID: 46803

File Name: php_expose_php.nasl

Version: 1.7

Type: remote

Family: Web Servers

Published: 2010/06/03

Updated: 2018/11/15

Dependencies: 10107

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:php:php

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploited by Nessus: true

Vulnerability Publication Date: 2004/11/28