False positive: detailed PHP version info

  • Resolved Micha

    (@michaing)


    9 months, 2 weeks ago

    One of the checks fails, stating that our “Server response headers contain detailed PHP version info.” Based on the suggested fix, I guess it checks whether the X-Powered-By or Server response headers are set, but does not check their actual content.

    In your case, the Server header is set by Cloudflare, containing “cloudflare” as value. Hence, that response headers would contain “detailed PHP version info” is simply wrong. PHP and Apache are both configured to not provide any information.

    I suggest to add some value regex check, to verify that there is really any PHP (or other backend) version info contained, else you cause unnecessary worries or actions, potentially even harmful ones.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Lars Koudal

    (@lkoudal)

    Hello @michaing

    Thank you for bringing this to our attention and for your detailed feedback.

    You are absolutely right about the issue with the server response headers check. We appreciate your suggestion to improve the accuracy of this check by verifying the actual content of the headers.

    I’m pleased to inform you that we have addressed this in our latest release, version 5.192, which was just pushed out. The update includes a fix that ensures the check only flags headers containing actual PHP or other backend version information.

    Please update to the latest version, and you should see this issue resolved. Thanks again for helping us improve Security Ninja!

    Thread Starter Micha

    (@michaing)

    Many thanks for solving this so quickly. I just applied the update, did scan, and can verify that the this test does now pass on our instance. Great work!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘False positive: detailed PHP version info’ is closed to new replies.