The toggle has two values. On - default Inserts X-Powered-By header with PHP version. Causes phpcredits page, PHP and ZEND LOGOs to be displayed in unexpected fashion where people's webpages would be expected. Enables Logos to be displayed in the phpinfo() output.
Off - not default Responses are smaller Removes unexpected display of credits and logos. No Logos are displayed in phpinfo() output. If it was off, would anyone switch it on? No. Anyone wishing to obtain compliance to credit card industry standards must disable it. Leaving it on creates work for users, who often have to or wish to disable it, produces unexpected behaviour, and consumes more bandwidth. It is a rather user hostile position to leave it defaulted to "On". PHP5.5 will remove the display of phpcredits, and logos, but retains the X-Powered-By header, and so will still require disabling of this feature on most serious deployments, but upstream presumably thought the display of credits and logos an issue enough to remove it from the code base entirely. My brief inspection of the 5.5a4 code suggests this parameter will just toggle the X-Powered-By header in 5.5 and later. The actual display of logos and credits appears secure, in that it returns the logos though the name of the page requested with different GUID parameters (so no dependence on other servers). And none of the pages permit of trivial injection attacks. That said I can imagine it might be possible to use it to confuse naive search engines, or naive proxy servers (or naive users), into displaying, caching or indexing the wrong content for a website. As such having expose_php enabled before 5.5 is potentially a security issue over and above information leakage. I would advise everyone to disable the option, since it has no upside, will increase bandwidth costs, and has other potential issues. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
