PHP Easter egg why not OFF by default


(Zimny) #1

I know this is not a big issue but when we are considering NS like a secure platform can we disable it by default?
To be honest adjustments like:

“config setprop php ExposePhp 0”

do not solve a problem.

For expirienced pentest man this pages can give good picture about the php ver etc.
Why not avoid it on OS config layer


(Davide Principi) #2

Any suggestion about hardening the current config is welcome!

Attackers know well the PHP version of NethServer because it’s publicly available from Centos packages.


(Giacomo Sanchietti) #3

I don’t think Security through Obscurity is a good practice :smiley:

By the way, if you want to change PHP configuration, beside what is currently supported by props, you can implement a template-custom for /etc/php.d/nethserver.ini or edit any other file inside /etc/php.d/.

Just for reference: