Information Disclosure via X-Php-Version Header
Description
The 'X-Php-Version' header discloses which PHP version the application is running on. By revealing the precise PHP release, attackers can identify known security flaws or unpatched vulnerabilities specific to that version. This information may also assist adversaries in targeting default configurations, exploiting deprecated functions, or using automated tools to launch version-specific attacks. Ultimately, exposing the PHP version broadens the application’s attack surface by enabling malicious actors to craft exploits and probes tailored to the disclosed PHP environment.
Remediation
Remove or mask the 'X-Php-Version' header to prevent external parties from discovering your PHP version. Configure your server (e.g., Apache, Nginx, or PHP-FPM) to avoid adding this header to responses. Keep your PHP installation and extensions up to date with the latest patches and security releases. If you use reverse proxies, CDNs, or load balancers, ensure they do not preserve or re-inject version-related headers. Consider employing a Web Application Firewall (WAF) or intrusion detection system to detect malicious traffic targeting PHP-specific flaws. Regularly audit your server and PHP configurations to confirm that no sensitive version information is leaked.
References
https://www.php.net/securityhttps://owasp.org/www-community/attacks/Information_exposureSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.3
5.3