Security Tips: expose_php is currently enabled, disable it in php.ini.

4 posts by 3 authors in: Forums > CMS Builder
Last Post: June 15, 2015   (RSS)

By hiroko - June 13, 2015

Hi again,

I have this security tip message on the general setting area.

"expose_php is currently enabled, disable it in php.ini."

I looked at the php.ini file in the cmsb folder, but it is Off already.

; security enhancements
expose_php = Off

Can this be ignored?

Hiroko

So do I.  I checked both the site php.ini and the one in the cmsb foolder, and both are the same, off.

--
northernpenguin
Northern Penguin Technologies

"Any sufficiently advanced technology
is indistinguishable from magic."
........Arthur C. Clarke

By Dave - June 15, 2015

Hi Guys, 

It could be that it there's another PHP config file being read, or it could be that your server admin has disabled the ability to change that setting.

You can see what the actual value is by checking phpinfo().  Click the phpinfo link at the bottom of Admin > General or use this direct link:
admin.php?menu=admin&action=phpinfo

Search for "expose_php".  The value of the right is the "system value", and the value on the left is the "local value".  The local value is the one that is used and represents what the value is after all the config files are parsed.  If that one says "On", then expose_php is still on.  

You can actually check for yourself with a site like this.  Just look for the PHP Version in the headers: http://tools.seobook.com/server-header-checker/

Here's what the headers from our site look like: 
http://tools.seobook.com/server-header-checker/?url=www.interactivetools.com

What I'd recommend is just email your host and tell them you noticed that expose_php was enabled on your server and ask if they could disable it or provide you with instructions to disable it.

Hope that helps!

Dave Edis - Senior Developer
interactivetools.com