Remove PHP's Easter Egg URLs

While going through some PCI scanning recently a PHP easter egg vulnerablility was brought to my attention.  It’s rather harmless, but needs to be addressed for PCI reasons.  The easter egg allows you to pass a query string to any PHP Page and it will return an image.  You can see the different variables and resulting images at this link.  So how do you remove this?  It’s an easy quick change to your php.ini file.  Set the expose_php flag to Off as such:

expose_php = Off

That’s it!  The easter egg URLs will now be disabled.

Comments

comments powered by Disqus