I have web server which response to HEAD /
request the following response:
HTTP/1.1 200 OK
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.26
....
Is it possible to know what is the Ubuntu version using those HTTP response headers (Apache/PHP version)?
CodePudding user response:
"5.5.9-1ubuntu4.26" is the version of the PHP package that is installed. The Debian/Ubuntu version labelling scheme is complicated, and I'm not sure of the details, but it's basically "PHP version 5.5.9, Debian/Ubuntu package version 1 / 4.26".
Firstly, note that this is much more valuable to an attacker than knowing the base OS version - if that isn't the latest patch, they can know immediately which security vulnerabilities you will still be vulnerable to.
Secondly, while I don't know offhand the most efficient way to search, all package versions are listed on https://launchpad.net/ along with the Ubuntu versions they are compatible with. It's possible that same package version can be installed on multiple base OSes, but it would certainly be possible to narrow it down to a list of candidates.
Thirdly, PHP 5.5 is now extremely old - it's last official patch was 5 and a half years ago - and it's possible there are security issues in it for which fixes are not easy to apply in the Debian/Ubuntu patches. So revealing that you're running that version, regardless of patch version, might well be useful information to an attacker.
The fix is incredibly simple: PHP has a setting called expose_php
. Set this to Off
and the X-Powered-By
header will be removed completely.