2

My machines routinely get scanned by Qualys and other scanners that report my supported and patched version of php as wildly out of date (even though they're patched quarterly, I get flagged on ancient CVE's for php and apache). I'm rather sick of even advertising that I've got php enabled on these machines. How do they know it's enable if they don't have an agent on my devices?

Is there some hidden page that I can block or a header from being returned?

I have 'expose_php = On' in my php.ini, I'm guessing I can turn that off, but I don't see what it changes because I don't see what I've seen as the expected "powered by php" message when I do a curl -I against this machine.

I'd also like to not advertise any other modules I may or may not have enabled in apache.

Peter Turner
  • 141
  • 1
  • 5
  • There are similar questions like this here. https://security.stackexchange.com/questions/204793/can-a-hacker-determine-what-version-of-wordpress-and-php-a-site-is-using and https://security.stackexchange.com/questions/52596/techniques-for-enumerating-enabled-apache-modules, for instance – schroeder May 15 '19 at 14:34
  • Have you tried fixing the underlying problem? –  May 15 '19 at 14:42
  • @MechMK1 working on upgrading the platform (and not using php any more) but there is no underlying problem, it's the scanners that need to be tuned. We patch quarterly but still get flagged on 4 year old CVE's because the scanners only look at the major and maybe the minor version numbers. – Peter Turner May 15 '19 at 15:08
  • 4
    If you can say for **sure** that a scanner is giving you a false positive, then you can ignore those results. Automated scanners will **always** have false positives, along with false negatives. Scanners are continuously updated to reduce false positive rates, but they will never be perfect. –  May 15 '19 at 15:40
  • @mech I can ignore those results, but I can't convince non-technical people and people who are apprehensive about having my tools in their environment to ignore them very well. It's getting to the point that every time I deploy tools to a semi-security minded customer I get a list of 200 CVE's I need to vet. This is what I'm asking about. I want to know what scanners are hitting to determine that I'm running such-and-such a version of PHP. – Peter Turner May 15 '19 at 18:06
  • Have you ever conducted a professional pentest of your platform to ensure that all backport patches have been applied correctly? When confronted with 200 false positives, it's easy to oversee the 2 true positives. You mentioned you are working onchanging your platform. Depending on when you expect to be done with this, a pentest might still be worth it. Your semi-security-minded customers would certainly appreciate it. If you think it's not worth it, just ignore things and migrate to a new platform. –  May 16 '19 at 10:15
  • Try httpie -- https://github.com/jakubroztocil/httpie and see what your server serves to clients. – user96931 May 23 '19 at 15:13

0 Answers0