ID: 32079
User updated by: milky at users dot sf dot net
Reported By: milky at users dot sf dot net
Status: Wont fix
Bug Type: Feature/Change Request
Operating System: all
PHP Version: Irrelevant
New Comment:
Could you please explain, how it could negatively impact "security" if
it is ONLY revealed that your beloved "safe mode" is enabled? After
all, it is meant to make PHP "safe", isn't it?
Previous Comments:
------------------------------------------------------------------------
[2005-02-23 15:31:28] [EMAIL PROTECTED]
We won't change because of obvious security concerns. External people
should not know exactly what your set-up is.
------------------------------------------------------------------------
[2005-02-23 15:17:02] milky at users dot sf dot net
Description:
------------
PHP sends an "X-Powered-By" header with each request answer, containing
a PHP version string. It's also included with the Apache id in its
"Server" header.
This version information however misses important informations - for
example which sort of PHP is running over there.
If PHP is running in crippled mode, it should identify itself as
"SM-PHP/5.03" or just "S/M-PHP" or so. This would significantly benefit
the Web hosting provider industry, since fewer contracts would be
discarded again after customers find out that they've only be given
"Safe"-Mode PHP.
Incorrectly advertising features ("PHP" instead of "S/M-PHP") counts as
mischief in central Europe. *hint,hint*
(Given, that there is always either Python or Perl running on
"safe"-moded Webservers, it's obvious that this setting was made for
dumb providers. No need to discuss that again here; no?)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32079&edit=1
